Skip to main content

Openclaw

526 CVEs product

Monthly

CVE-2026-62200 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.1 lets a lower-trust authenticated caller abuse Git 'ext' transport through incomplete host-exec environment filtering to execute or persist actions beyond their intended privileges. VulnCheck reported and characterizes it as an authentication bypass via Git ext transport, and a GitHub Security Advisory (GHSA-9969-8g9h-rxwm) is published; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact reachable over the network with only low privileges.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62199 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.6 lets a low-privileged caller inject crafted interpreter startup environment variables through the host exec feature, executing or persisting actions beyond their intended authorization. The flaw stems from incomplete environment-variable filtering (CWE-184) that overlooks interpreter startup variables, and per its CVSS 4.0 vector (VC:H/VI:H/VA:H) yields high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis; the issue is reported by VulnCheck and fixed in 2026.6.6.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62198 MEDIUM This Month

Authorization bypass in OpenClaw's native web search component allows authenticated lower-trust callers to invoke operations normally gated behind stronger policy checks. Versions 2026.5.28 through 2026.6.5 are affected, with exploitation requiring crafted input paths targeting misconfigured authorization logic - no special tooling needed given the low attack complexity. No public exploit code or CISA KEV listing exists at time of analysis, but the network-reachable attack surface and low complexity reduce the barrier for abuse by compromised or malicious low-privilege accounts.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-62197 MEDIUM This Month

OpenClaw's browser CDP (Chrome DevTools Protocol) discovery component fails to enforce its own URL blocklist, allowing lower-trust authenticated users to reach network destinations that OpenClaw policy should have denied access to. The root cause is a Server-Side Request Forgery variant (CWE-918) where blocked WebSocket URLs submitted through CDP discovery are accepted and proxied without policy enforcement. The CVSS 4.0 vector (SC:H/SI:L) confirms the primary impact lands on downstream or segmented network resources - not OpenClaw itself - making this a network segmentation bypass rather than a direct system compromise. No public exploit code or CISA KEV listing has been identified at time of analysis.

SSRF Openclaw
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-62196 HIGH This Week

Authorization bypass in OpenClaw (versions 2026.3.22 up to but not including 2026.6.6) lets a lower-trust WhatsApp sender satisfy elevated sender allowlists because WhatsApp group IDs are accepted as if they were privileged individual sender identities. An authenticated but low-privilege attacker can therefore invoke actions gated behind stronger authorization, effectively escalating privilege within the messaging integration. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (high); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-62195 HIGH This Week

Authorization bypass in OpenClaw 2026.5.20 through 2026.6.5 lets a low-privilege caller invoke owner-only tools through the MCP loopback feature, escalating beyond intended permissions to execute or persist privileged actions. The flaw stems from incorrect permission enforcement (CWE-732) on configured input paths reachable over the network. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-62194 HIGH This Week

Privilege escalation in OpenClaw 2026.5.20 through 2026.6.8 lets an already-authenticated, lower-trust caller abuse the plugin install command path to execute or persist actions beyond their intended authorization. The root cause is an incorrect permission assignment (CWE-732) on plugin installation, and the CVSS 4.0 vector (PR:L, UI:N, AV:N) shows a low-privileged remote actor can achieve high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the CVE is not in CISA KEV, but a GitHub Security Advisory (GHSA-7vrr-rp4x-4g76) and a VulnCheck advisory document it.

Privilege Escalation Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62193 MEDIUM This Month

Authorization bypass in OpenClaw's plugin install wrappers (versions 2026.6.5 through 2026.6.8) allows a lower-trust authenticated caller to skip the install policy check, executing or persisting plugin actions beyond their intended authorization scope. The impact is bounded by operator configuration - deployments where the plugin install feature is disabled or unreachable are not affected. No public exploit code has been identified and the vulnerability does not appear in CISA KEV; vendor-released fix is available in version 2026.6.9.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-62192 HIGH This Week

Privilege-boundary bypass in OpenClaw's Discord guild-action handling (versions 2026.6.6 up to but not including 2026.6.9) lets a low-privilege authenticated caller invoke operations that should require stronger authorization. By abusing misconfigured input paths, the attacker skips the cross-provider requester authorization step and executes restricted guild operations. No public exploit identified at time of analysis; the CVSS 4.0 score of 7.2 reflects high integrity and availability impact with no confidentiality exposure.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-62191 HIGH This Week

Privilege escalation via authorization bypass in OpenClaw 2026.6.6 through 2026.6.8 allows a low-privileged, authenticated caller to invoke message-mutation operations that should require stronger authorization, letting them execute privileged actions. The flaw is a missing authorization check (CWE-862) on mutation input paths and requires the affected feature to be enabled and reachable. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-62190 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.9 lets a lower-trust caller escape the exec-approval trust boundary through the flock wrapper, executing or persisting privileged actions the caller was never authorized to perform. The CVSS 4.0 vector (PR:L) indicates an authenticated but low-privilege actor can achieve high confidentiality, integrity, and availability impact when the affected feature is enabled. Reported by VulnCheck with a vendor GitHub Security Advisory (GHSA-3fp5-v549-9v66); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-62189 HIGH This Week

Authorization bypass via symlink following in OpenClaw's mirror sync feature (versions before 2026.6.9) lets a lower-privilege caller escalate into actions that should require stronger authorization. By planting or referencing symlink parents on a remote mirror target, an authenticated attacker can trick the sync logic into resolving links that cross policy and trust boundaries, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and no CISA KEV listing; no EPSS score was supplied.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.6
EPSS
0.3%
CVE-2026-62186 HIGH This Week

Privilege escalation in OpenClaw before 2026.6.8 lets a lower-trust, already-authenticated caller invoke admin-restricted operations by abusing OpenAI-compatible HTTP model-override input paths, bypassing the authorization checks that should gate those actions. The flaw was reported by VulnCheck and stems from missing authorization (CWE-862) on override-driven request handling. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-59261 HIGH PATCH This Week

Credential exposure in OpenClaw before 2026.5.28 lets a lower-trust actor who can write to a workspace's configured input paths plant a dotenv file that overrides trusted provider credentials, causing sensitive secrets to leak across intended trust boundaries. VulnCheck reported the issue and it is fixed in 2026.5.28; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The vendor CVSS 4.0 base score is 8.4 (High), reflecting high confidentiality and integrity impact but requiring local path access and user interaction.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-53866 npm HIGH PATCH GHSA This Week

Allowlist bypass in OpenClaw versions prior to 2026.5.12 allows authenticated operators to execute unapproved shell commands by routing requests through inline-command parser cases that skip the expected allowlist enforcement. The flaw, reported by VulnCheck and tracked under GHSA-f397-5vjw-v2c2, effectively neutralizes the operator-approval boundary in OpenClaw's shell command path. No public exploit identified at time of analysis, and the CVSS 4.0 score of 7.6 reflects high confidentiality and integrity impact with a present attack requirement.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.3%
CVE-2026-53865 npm HIGH POC PATCH GHSA This Week

Untrusted search path execution in OpenClaw before 2026.5.2 allows a local low-privileged user to coerce maintenance task routines into invoking attacker-controlled executables in place of the intended trash command. By manipulating workspace-derived environment paths consumed during maintenance operations, an authenticated user can hijack command resolution and run arbitrary binaries in the OpenClaw process context. No public exploit identified at time of analysis, but VulnCheck has published a dedicated advisory describing the workspace-derived service path abuse.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-53864 npm HIGH PATCH GHSA This Week

Environment variable sanitization weakness in OpenClaw prior to 2026.5.26 lets attackers smuggle Node.js control variables (such as NODE_OPTIONS) past the host environment sanitizer, enabling them to influence child-process behavior and coverage output paths. Affected attackers must have write access to workspace .env files, tool environment overrides, or skill environment blocks, and no public exploit is identified at time of analysis. The flaw was reported by VulnCheck and is tracked under CWE-184 (Incomplete List of Disallowed Inputs).

Authentication Bypass Node.js Openclaw
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.3%
CVE-2026-53863 npm MEDIUM PATCH GHSA This Month

OpenClaw versions before 2026.4.25 expose an authorization bypass via unvalidated user-controlled group IDs in the tool group policy resolver, enabling authenticated low-privilege network attackers to manipulate access-control decisions for tool invocations. The CVSS 4.0 vector assigns VI:H (High integrity impact on the vulnerable system), reflecting that successful exploitation can cause the policy engine to grant or deny tool permissions contrary to the intended configuration. No public exploit code has been identified at time of analysis, and the CVSS 4.0 AT:P metric indicates a specific attack requirement limits opportunistic mass exploitation.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-53862 npm LOW PATCH GHSA Monitor

Bootstrap token replay in OpenClaw before version 2026.5.12 permits callers holding a pending bootstrap token to resubmit that token with a broader scope than originally requested, bypassing intended pairing authority limits. The flaw, rooted in incorrect privilege assignment (CWE-266), exploits the gap between token issuance and administrative approval to escalate pairing access. No public exploit code has been identified and the vulnerability carries a CVSS 4.0 score of 2.3, reflecting significant mitigating factors including high attack complexity, a required target precondition, and passive user interaction - making this a low real-world priority outside environments with high-value pairing workflows.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-53861 npm MEDIUM PATCH GHSA This Month

OpenClaw's macOS Swift exec feature fails to correctly evaluate combined POSIX inline-command flags against its configured command allowlist, enabling a local low-privileged attacker to execute shell content that should be blocked. Affected versions are all OpenClaw releases before 2026.5.6 on macOS. Exploitation depends on an operator-configured allowlist being in place - when that allowlist is configured, a local user can bypass it entirely by using combined flag forms (e.g., `-abc` instead of `-a -b -c`), achieving high confidentiality and integrity impact. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Apple Openclaw
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-53860 npm LOW POC PATCH GHSA Monitor

Sender policy bypass in OpenClaw's BlueBubbles integration before version 2026.5.7 allows low-privileged conversation participants to impersonate allowlisted senders by manipulating conversation-level metadata rather than being validated against stable sender identity. An attacker who is already a participant in a conversation can craft or influence mutable conversation identifiers to match configured allowlist entries, causing the agent to respond to them as if they were an authorized sender and circumventing access controls. No public exploit code or active exploitation has been identified at time of analysis; the low CVSS score (2.3) and high attack complexity reflect real-world constraints.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-53859 npm MEDIUM PATCH GHSA This Month

Hostname blocklist bypass in OpenClaw before 2026.5.26 enables authenticated attackers to reach operator-restricted network destinations by supplying trailing-dot notation in model- or workspace-derived URLs. The comparison logic evaluating hostnames against blocklist policies does not normalize fully qualified domain name (FQDN) trailing dots before evaluation, while DNS resolvers treat `blocked.example.com.` and `blocked.example.com` as identical targets. With confidentiality impact rated High by CVSS 4.0 and no public exploit or KEV listing identified at time of analysis, risk is real but bounded to deployments with active blocklist policies and users who control URL parameters.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-53858 npm HIGH POC PATCH GHSA This Week

Untrusted search path in OpenClaw before 2026.5.2 allows local attackers who can influence a workspace .env file to redirect bundled runtime dependency loading to attacker-controlled paths, resulting in arbitrary code execution during dependency resolution. The STATE_DIRECTORY environment variable is not validated before being used to anchor runtime dependency roots, so a poisoned workspace can execute code in the context of a user who opens it. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Code Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-53857 npm HIGH POC PATCH GHSA This Week

Authentication bypass in OpenClaw before 2026.5.3 allows remote attackers with low privileges to receive agent responses intended for other Zalo identities by manipulating their mutable display name to match allowFrom policy entries. The flaw stems from policy enforcement relying on mutable display metadata rather than immutable identifiers, and no public exploit has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-53856 npm MEDIUM POC PATCH GHSA This Month

OpenClaw before 2026.4.24 exposes sensitive configuration data to other local users on shared hosts due to insecure file permissions set during the config recovery process. When recovery restores OpenClaw.json, the resulting file is created with overly broad permissions, allowing any low-privileged local user to read its contents. No public exploit has been identified at time of analysis, but exploitation requires only a low-privilege local account and a shared-host environment where the recovery path has been exercised.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-53855 npm HIGH PATCH GHSA This Week

Allowlist bypass in OpenClaw before 2026.4.2 lets authenticated operators smuggle inline-eval content through shell positional parameters, defeating the strict allowlist that is meant to constrain which tools and content the shell carrier executes. Successful abuse yields execution of unapproved shell-provided content with high confidentiality and integrity impact, and no public exploit has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.3%
CVE-2026-53854 npm MEDIUM POC PATCH GHSA This Month

Privilege escalation in OpenClaw before 2026.4.25 allows authenticated low-privileged users to inherit wildcard ownerAllowFrom authorization state across channel boundaries, enabling execution of owner-level commands outside their intended channel scope on both internal and webchat command paths. The flaw (CWE-863) produces high integrity impact (VI:H per CVSS 4.0) without confidentiality or availability consequences, as the attacker gains unauthorized administrative command execution rather than data access. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 6.0 reflects meaningful but condition-dependent risk.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-53853 npm HIGH POC PATCH GHSA This Week

Allowlist bypass in OpenClaw before 2026.5.12 lets authenticated attackers invoke approved executables with arbitrary arguments on Linux and macOS, defeating the argPattern restrictions intended to constrain each binary's permitted invocations. The flaw enables disallowed file access, network access, or command execution under the privileges of the OpenClaw exec subsystem, with no public exploit identified at time of analysis.

Authentication Bypass Apple Openclaw
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.3%
CVE-2026-53852 npm LOW POC PATCH GHSA Monitor

Scope containment bypass in OpenClaw before 2026.4.25 allows authenticated operators to recover broader device access than their current authorization permits by exploiting a missing validation path in the device re-pairing flow. By sending re-pairing requests with empty scope sets, an operator can silently skip containment guards and retain or restore access to devices outside their assigned scope boundaries - an especially significant risk in multi-tenant or shared-operator deployments. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-53851 npm MEDIUM PATCH GHSA This Month

OpenClaw before 2026.5.12 fails to enforce its own notification filter for Slack reaction events, allowing those events to bypass a disabled-notification setting and reach the agent processing pipeline (CWE-862: Missing Authorization). Any user with Slack workspace access can send reaction events to channels monitored by OpenClaw, triggering unintended agent execution with lower-trust input even when administrators have explicitly disabled reaction notifications. No public exploit code exists and no active exploitation has been confirmed at time of analysis; the CVSS 4.0 score of 6.3 reflects a moderate-severity, narrow-impact integrity issue.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-53850 npm MEDIUM POC PATCH GHSA This Month

OpenClaw before version 2026.4.25 permits authenticated local callers to invoke the focus command without passing proper authorization checks, enabling control scope enforcement bypass (CWE-862: Missing Authorization). Any low-privileged local user can alter focus state outside their intended caller authority, with downstream impact varying by gateway configuration and input trust levels. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-53849 npm HIGH POC PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.5.7 allows any user with a Discord account to assume the identity of a privileged Discord user authorized in the agent's allowFrom policy by simply renaming their account, because the access-control check matches on mutable display names rather than immutable Discord user IDs (snowflakes). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but exploitation is trivial for anyone who can read the target policy.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-53848 npm LOW PATCH GHSA Monitor

OpenClaw before version 2026.5.26 exposes an exec allowlist bypass that lets authenticated operators with low privileges invoke unintended side effects through transparent command wrappers that circumvent allowlist validation at the wrapper layer. The root cause is CWE-184 (Incomplete List of Disallowed Inputs), where allowlist checks succeed at the surface request level but fail to constrain behavior triggered deeper in the wrapper execution path, yielding a limited but confirmed integrity impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects the constrained scope: exploitation requires authenticated operator access plus a specific attack target precondition.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-53847 npm MEDIUM PATCH GHSA This Month

Privilege escalation in OpenClaw before 2026.5.6 allows authenticated Gateway operators holding operator.write access to modify global configuration that should be restricted exclusively to operator.admin privileges. The root cause (CWE-266: Incorrect Privilege Assignment) lies in insufficient scope validation within the Active Memory write scope, which fails to enforce the boundary between the write and admin privilege tiers. No public exploit has been identified at time of analysis; however, the network-accessible attack vector (AV:N, PR:L) means any authenticated operator-level account across the deployment is a viable exploitation path with low attack complexity.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-53846 npm HIGH POC PATCH GHSA This Week

Untrusted search path in OpenClaw versions prior to 2026.4.29 lets workspace-local .env files override the npm_execpath variable consulted by the install helper, redirecting bundled dependency installation to an attacker-controlled package-manager binary. An attacker who can place files in the workspace can hijack the runtime dependency setup step to compromise the build environment under the developer's identity, with no public exploit identified at time of analysis.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-53845 npm LOW PATCH GHSA Monitor

Hook-based policy enforcement bypass in OpenClaw before 2026.5.6 allows authenticated low-privilege network attackers to route skill commands through a specific vulnerable dispatch path, causing before-tool-call hooks to be skipped entirely. This silently circumvents audit logging and policy enforcement mechanisms that defenders rely on to detect and govern tool invocation behavior within the framework. No public exploit code has been identified at time of analysis, and CVSS 4.0 rates this at 2.3 (Low) with specific attack requirements (AT:P), limiting real-world risk primarily to environments that actively depend on hook-based security controls.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-53844 npm MEDIUM POC PATCH GHSA This Month

Session visibility check bypass in OpenClaw's shared memory search component allows authenticated low-privileged users to retrieve memory entries belonging to other sessions without proper authorization. All OpenClaw versions prior to 2026.4.29 are affected; the flaw (CWE-862, Missing Authorization) exists because the session visibility guard is not enforced on the shared memory search code path, yielding a high confidentiality impact against multi-session deployments. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.0 with VC:H signals meaningful data exposure risk for any environment where multiple users or sessions operate concurrently.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-53843 npm HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw before 2026.5.26 allows an attacker with a previously paired device to re-establish WebSocket node-level authority after the session has been revoked, effectively defeating the revocation control. The flaw stems from a surviving pairing-scoped device session that can mint new node tokens without renewed approval, letting authenticated attackers retain unauthorized node-level access longer than intended. No public exploit identified at time of analysis, but the issue is acknowledged in a GitHub Security Advisory (GHSA-q99w-vh6v-q3v7) and a VulnCheck advisory.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-53842 npm HIGH PATCH GHSA This Week

Arbitrary Python runtime execution in OpenClaw before 2026.5.2 lets an attacker with write access to the workspace plant a malicious .env file that overrides the CLOUDSDK_PYTHON variable used during Gmail setup, redirecting gcloud invocations to an attacker-controlled Python interpreter and leading to code execution. The CVSS 4.0 vector (AV:L/AT:P/UI:A) confirms the attack is local, requires a specific attack condition, and depends on a user/operator action - no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Python RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-53841 npm LOW PATCH GHSA Monitor

Stored cross-site scripting in OpenClaw's session HTML export feature allows unsafe javascript: and data: URI schemes to survive into generated output files. All OpenClaw versions before 2026.5.12 are affected; exploitation requires a trusted operator to open an exported session HTML file and actively click a crafted link, at which point arbitrary JavaScript executes in their browser context. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 2.1 reflects the narrow attack prerequisites and limited subsequent-system impact.

XSS Openclaw
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-53840 npm MEDIUM POC PATCH GHSA This Month

OpenClaw's streamable-http MCP server implementation leaks operator-configured custom headers to attacker-controlled origins during cross-origin HTTP redirects. All OpenClaw versions before 2026.5.12 are affected, and any deployment that places sensitive values - API keys, tenant-routing credentials, or bearer tokens - in operator-configured custom headers is exposed. An attacker who controls or has compromised an MCP endpoint can trigger a cross-origin redirect, causing OpenClaw to forward those headers to an origin the attacker controls, resulting in credential theft. No public exploit has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-53839 npm MEDIUM PATCH This Month

OpenClaw's retry endpoint authentication check performs hostname prefix matching instead of exact hostname comparison, enabling an authenticated attacker to redirect sensitive authentication material to an attacker-controlled endpoint. All versions before 2026.5.7 are affected per CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*. The CVSS 4.0 vector scores this at 6.0 with high confidentiality impact (VC:H) and a specific attack prerequisite (AT:P); no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53838 npm MEDIUM PATCH This Month

State mutation in OpenClaw's node pairing reconnection logic allows a low-privilege paired node to escalate its effective authority by confusing the approval scope engine, potentially bypassing access restrictions within the system. Affected versions are all OpenClaw releases before 2026.5.27, as identified by CPE cpe:2.3:a:openclaw:openclaw. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the integrity impact is rated High given an attacker can restore or inflate node authority beyond what was originally sanctioned.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53837 npm MEDIUM PATCH This Month

Improper access control in OpenClaw's Mattermost event handler integration allows remote unauthenticated attackers to bypass direct message (DM) policy enforcement by submitting crafted Mattermost events that deliberately omit channel type metadata. All OpenClaw versions prior to 2026.5.6 are affected. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible and unauthenticated nature of the flaw (PR:N per CVSS 4.0) makes it actionable for deployments that rely on DM policies as a meaningful access control boundary.

Authentication Bypass Mattermost Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-53836 npm HIGH PATCH This Week

Remote code execution in OpenClaw before 2026.5.12 allows authenticated operators to bypass the PowerShell execution allowlist by submitting encoded-command flag aliases (abbreviated forms) that the allowlist parser fails to recognize. The flaw enables execution of arbitrary PowerShell payloads with full confidentiality, integrity, and availability impact on the host. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-53835 npm LOW PATCH Monitor

Configuration enforcement bypass in OpenClaw's Feishu dynamic-agent binding subsystem permits authenticated senders to create or update sender-agent bindings while circumventing configured config-write access controls. All OpenClaw versions prior to 2026.5.6 are affected; an attacker holding valid sender credentials can modify binding state beyond intended policy, potentially redirecting or hijacking agent associations belonging to other users. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.3 reflects the narrow impact scope and prerequisite deployment conditions.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-53834 npm HIGH PATCH This Week

Authorization bypass in OpenClaw's QQBot component before version 2026.4.27 allows authenticated senders to invoke slash commands before allowFrom policy checks execute, effectively skipping operator-configured access controls. The flaw stems from pre-dispatch command handling that runs prior to policy enforcement, enabling blocked senders to trigger command handlers depending on deployment configuration. No public exploit identified at time of analysis, and CVSS 4.0 scoring of 8.2 reflects high integrity impact with an attack requirement (AT:P) suggesting non-trivial conditions.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-53832 npm HIGH PATCH This Week

Identity header forgery in OpenClaw before 2026.5.18 allows local same-host callers with access to the proxy-facing Gateway port to spoof trusted-proxy identity headers and assume operator identity. The flaw stems from missing validation of headers normally set by an upstream trusted proxy, enabling privilege escalation when the Gateway port is reachable locally. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-53831 npm HIGH PATCH This Week

Information disclosure in OpenClaw before 2026.5.18 lets authenticated operators abuse shell metacharacter expansion within the system.run safe-bin allowlist to read unintended node-local files on POSIX nodes and exfiltrate sensitive configuration data. The flaw bypasses command-policy enforcement because the allowlist validates a literal command string while the underlying shell re-interprets it at execution time. No public exploit identified at time of analysis.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-53830 npm MEDIUM PATCH This Month

Webhook secret revocation bypass in OpenClaw before 2026.4.22 allows callers possessing previously-issued Slack and Zalo webhook secrets to continue submitting accepted events after an operator invokes the secrets.reload function. The stale-secret acceptance window undermines the integrity guarantees of secret rotation, enabling unauthorized webhook payload injection into what operators believe is a secured endpoint. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the integrity impact is rated high per the CVSS 4.0 vector.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53829 npm HIGH PATCH This Week

Command approval bypass in OpenClaw versions prior to 2026.5.18 allows authenticated users to smuggle malicious instructions past human approvers by exploiting how the approval UI truncates oversized exec commands. The flaw (CWE-451, UI misrepresentation) lets an attacker craft a request with a benign-looking prefix while a malicious suffix is hidden from the reviewer's display, resulting in unauthorized execution once the request is approved. No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-53828 npm HIGH PATCH This Week

Authorization bypass in OpenClaw before 2026.5.6 allows authenticated senders to invoke owner-only native commands without satisfying the configured owner-command policy. Any user with valid credentials can therefore execute privileged operations reserved for the resource owner, undermining the access control model. No public exploit identified at time of analysis, but a GitHub Security Advisory (GHSA-p73f-w79w-jqr5) and a VulnCheck advisory document the flaw.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-53827 npm MEDIUM PATCH This Month

Credential exposure via SSRF in OpenClaw's message.action forwarding allows authenticated remote attackers to redirect Gateway token-bearing action payloads to attacker-supplied loopback URLs, resulting in full confidentiality compromise of Gateway credentials. Affected versions are all OpenClaw releases prior to 2026.5.2; the flaw is rooted in insufficient validation of model-controlled metadata that governs action routing. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the Gateway credential theft impact warrants prompt patching in any deployment where OpenClaw interacts with privileged backend services.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53826 npm LOW PATCH Monitor

Information disclosure in OpenClaw before 2026.4.26 leaks the real host workspace path through sandboxed session spawning, exposing filesystem location and potentially related memory context to child AI model prompts. Authenticated users with low-privilege access can trigger this by spawning child sessions from sandboxed parent sessions, undermining the isolation guarantees of the sandbox environment. With a CVSS 4.0 score of 2.3, no public exploit code, and no CISA KEV listing, this is a low-severity but architecturally meaningful sandbox escape of information relevant to AI agent deployments.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-53825 npm HIGH PATCH This Week

Arbitrary local file read in OpenClaw before 2026.4.7 lets authenticated Gateway operators holding the operator.write scope coerce the memory-wiki ingest feature into importing the contents of arbitrary local files. The flaw, reported by VulnCheck and tracked as GHSA-p2fh-f5fc-44hr, enables disclosure of sensitive host files (credentials, config, secrets) into wiki memory, but no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-53824 npm MEDIUM PATCH This Month

OpenClaw before version 2026.4.24 permits users whose slash command tokens have been explicitly revoked to continue issuing slash commands during the active monitor refresh window, violating the expected access boundary. The flaw stems from a revocation propagation lag: the token invalidation state is not synchronously enforced but instead depends on a periodic monitor cycle, allowing a briefly stale authorization check to pass. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact depends heavily on the duration of the monitor refresh interval and the sensitivity of slash commands exposed by the operator.

Microsoft Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53823 npm HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.3 allows attackers with access to a Slack account to spoof identity by changing their mutable Slack display name to match an allowFrom policy entry, gaining agent access intended for another user. The root cause is authentication binding to a mutable identifier (CWE-290) rather than a stable Slack user ID. No public exploit identified at time of analysis, though an upstream advisory (GHSA-c29c-2q9c-pc86) and VulnCheck writeup describe the flaw in detail.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-53822 npm HIGH PATCH This Week

Command injection in OpenClaw before 2026.5.18 allows authenticated attackers to modify shell wrapper argv between approval and execution, bypassing the allowlist enforcement. The TOCTOU-style race against the approval gate lets attackers execute unapproved command shapes with the application's privileges, with no public exploit identified at time of analysis but a vendor advisory published via GHSA.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-53821 npm HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.18 allows WebSocket-connected Control UI clients to claim operator.admin scope without server-side validation against pairing or trusted-proxy authorization state. Attackers with low-privileged WebSocket access can invoke admin-gated Gateway RPCs, and no public exploit identified at time of analysis despite CVSS 4.0 score of 8.7.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-53820 npm MEDIUM PATCH This Month

OpenClaw's bundled MCP loopback session-spawn path fails to enforce its exec denylist, allowing authenticated low-privilege callers to execute commands that should be restricted. Affected versions are all OpenClaw releases prior to 2026.5.12. An attacker with local, authenticated access can spawn MCP sessions through the loopback path to gain command reach exceeding their authorized scope, resulting in high integrity impact on the vulnerable system. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-53819 npm HIGH PATCH GHSA This Week

Arbitrary code execution in OpenClaw before 2026.5.27 lets attackers hijack the Homebrew executable resolved during skill installation by planting a workspace-level .env file that overrides the trusted Homebrew path. The flaw, classified as CWE-426 (Untrusted Search Path), enables full system compromise when an operator installs a tampered skill. There is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-53818 npm MEDIUM PATCH GHSA This Month

Authorization bypass in OpenClaw before 2026.4.24 allows local, low-privileged callers to circumvent owner-only tool policies and before-tool-call hooks via the MCP loopback feature. By routing requests through the affected loopback path, a non-owner principal can invoke tools that should be restricted to the owner role, effectively escalating effective privileges within the application. No public exploit code has been identified at time of analysis, but a vendor patch has been released and the vulnerability was reported by VulnCheck.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-53817 npm HIGH PATCH GHSA This Week

Authentication bypass in OpenClaw before 2026.5.22 allows authenticated network attackers to spoof locality information during Control UI device pairing and escalate temporary shared access into durable, admin-capable device tokens that persist across token rotation. The flaw stems from insufficient locality-derived trust validation (CWE-290), enabling lateral conversion of low-privilege sessions into persistent administrative credentials. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-53816 npm HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw before 2026.5.18 allows a paired node to forge exec lifecycle events and obtain capabilities reserved for nodes holding system.run authorization. By sending crafted node.event messages, an attacker controlling any peered node can steer gateway sessions into exec-event paths and execute privileged operations, with no public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-53815 npm HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw before 2026.5.19 allows authenticated lower-trust users to read messages from channels outside their allowlist by abusing missing validation in message read actions. The flaw maps to CWE-862 (Missing Authorization) and carries a CVSS 4.0 score of 7.1 with high confidentiality impact; no public exploit identified at time of analysis, but a vendor patch is available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-53814 npm HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.5.20 allows attackers holding a valid hook token to invoke owner-only MCP tools through the /hooks/agent endpoint, because hook-triggered agent runs are incorrectly granted owner-scoped MCP loopback authority. Successful exploitation lets a low-privileged hook caller execute privileged actions such as modifying persistent cron state, with no public exploit identified at time of analysis.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-53813 npm HIGH PATCH GHSA This Week

Path traversal in OpenClaw before version 2026.4.25 allows attackers with workspace access to manipulate local package root resolution and load memory-core artifacts from attacker-controlled locations, leading to arbitrary code execution or sensitive data disclosure. The flaw stems from workspace state influencing artifact resolution paths (CWE-427, Uncontrolled Search Path Element). No public exploit identified at time of analysis, though VulnCheck has published a dedicated advisory describing the fake package root resolution technique.

Path Traversal Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-53812 npm MEDIUM PATCH GHSA This Month

Server-side request forgery in OpenClaw's Playwright-backed browser control allows authenticated low-privilege users to circumvent private-network navigation guards by chaining action-triggered redirects through the Playwright act interaction mechanism. All OpenClaw versions prior to 2026.5.18 are affected, and subsequent browser evaluation APIs can be abused to read the content of private-network pages - including internal services, admin panels, or cloud metadata endpoints reachable from the server. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the subsequent-system confidentiality impact is rated High in the CVSS 4.0 vector, reflecting meaningful data-disclosure potential in cloud-hosted or internally networked deployments.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-53811 npm HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.5.7 allows authenticated Matrix users to impersonate other identities by manipulating their mutable display name to match policy entries in the allowFrom feature. The flaw stems from authentication relying on a user-controlled attribute (CWE-290), letting attackers receive agent access intended for another Matrix identity. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-53810 npm HIGH PATCH GHSA This Week

Arbitrary code execution in OpenClaw before 2026.5.18 allows operators with trusted marketplace access to redirect extension loading to unscanned package payloads, bypassing the platform's security scanning controls. The flaw stems from improper validation of runtime extension metadata (CWE-829), and while no public exploit has been identified at time of analysis, a vendor patch is available via GHSA-v6r2-jh58-xx6w and VulnCheck has tagged it as RCE.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-53809 npm MEDIUM PATCH GHSA This Month

OpenClaw's embedded runner policy incorrectly resolves provider aliases against other aliases rather than their canonical provider identities, enabling an authenticated local user to bypass intended provider policy restrictions. When the affected provider alias feature is active, a low-privileged attacker can select bundled tool access that falls outside the scope their policy should permit, effectively sidestepping the authorization boundary. No public exploit has been identified and no active exploitation is confirmed via CISA KEV; the local attack vector and required feature enablement materially limit real-world exposure.

Canonical Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-53808 npm MEDIUM PATCH This Month

Approval policy bypass in OpenClaw's Skill Workshop apply flow allows remote attackers to apply workshop configuration changes without completing the required authorization step. Versions prior to 2026.5.6 fail to enforce the `approvalPolicy: pending` gate when agent tool calls include `apply: true`, effectively granting unauthorized write access to skill configurations. No public exploit code has been identified at time of analysis; a vendor-released patch is available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-53807 npm HIGH PATCH This Week

Authorization bypass in OpenClaw prior to 2026.5.6 allows authenticated Telegram users to circumvent the commands.allowFrom sender allowlist by invoking interactive callbacks that mark the caller as authorized before validation runs. Reported by VulnCheck with a vendor patch available, this CWE-863 flaw lets attackers execute restricted command behaviors outside configured Telegram sender restrictions, though no public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-53806 npm HIGH PATCH GHSA This Week

Command execution bypass in OpenClaw before 2026.5.12 lets low-privileged remote users smuggle inline shell content past exec allowlist revalidation by combining POSIX shell flags into a single argument. The flaw exists because parsing logic treats grouped option characters differently from discrete flags, enabling unintended command paths when the affected exec feature is enabled. No public exploit identified at time of analysis, but the issue was reported by VulnCheck and a vendor advisory plus patch are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-35674 npm HIGH PATCH This Week

Scope bypass in OpenClaw versions prior to 2026.5.18 allows authenticated clients holding only the operator.write scope to invoke privileged Gateway commands via the chat.send route, escalating from limited operator access to full administrative control. Exploitation lets remote attackers mutate plugins, configuration, MCP settings, allowlists, and ACP rules that should require operator.approvals or operator.admin scopes. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 8.7 (high) and low attack complexity make this a serious privilege-escalation issue for any multi-tenant or delegated OpenClaw deployment.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-35673 npm MEDIUM PATCH This Month

SSRF policy bypass in OpenClaw before 2026.4.29 enables authenticated low-privileged attackers to circumvent private-network SSRF protections via browser debug and export routes. The flaw (CWE-863, Incorrect Authorization) allows an attacker who already holds valid credentials to reuse previously blocked browser tabs, causing the application to export or inspect content from protected internal resources that the SSRF policy was intended to restrict. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the high confidentiality impact on the vulnerable component (VC:H in CVSS 4.0) warrants prompt patching for internet-exposed instances.

SSRF Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-35630 npm HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw QQBot before 2026.5.18 allows non-approver users to resolve pending exec and plugin approval requests by clicking native approval buttons, because the configured approver identity is not enforced server-side. The flaw collapses a core access-control gate around command and plugin execution workflows, and no public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-mgq6-vr84-7m2j and VulnCheck advisory provide enough detail to reproduce.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.5
EPSS
0.0%
CVE-2026-34507 npm LOW PATCH Monitor

Policy bypass in OpenClaw's QQBot admin command handling allows authenticated low-privilege network users to circumvent DM-only and allowFrom authorization checks, routing restricted admin commands from unauthorized senders or contexts. Affected versions are all OpenClaw releases prior to 2026.4.29. The CVSS 4.0 score of 2.3 reflects limited confidentiality and integrity impact with no availability impact, and no public exploit has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-32906 npm LOW PATCH Monitor

Privilege escalation in OpenClaw's Slack plugin approval workflow allows authenticated users holding limited exec permissions to bypass operator-configured approval splits by resolving plugin approvals through the exec approver gate - approving actions outside their intended authorization boundary. All OpenClaw versions before 2026.5.12 are affected when the Slack plugin is deployed with approval split configurations. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 2.3 accurately reflects its narrow real-world impact, constrained by prerequisites and a low impact ceiling.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-32905 npm HIGH PATCH This Week

Authorization bypass in OpenClaw versions before 2026.5.4 allows authenticated chat command users who are not device owners to issue device-pairing bootstrap codes through the bundled device-pair plugin. Exploitation enables an attacker with low-privilege chat access to enroll arbitrary devices with operator or node capabilities, establishing persistent credentials that survive until manual revocation. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-45006 npm HIGH PATCH This Week

Compromised AI models running with access to OpenClaw's gateway tool can persist malicious configuration changes affecting command execution, network endpoints, credentials, and security policies by exploiting an incomplete denylist that failed to protect newly added config paths. The vulnerability allows model-driven writes to sensitive config subtrees (command execution safeguards, proxy/TLS settings, telemetry hooks, operator policies) that survive restart, enabling persistent control beyond the intended model-to-operator trust boundary. Patch available in OpenClaw 2026.4.23 with fail-closed allowlist enforcement. No public exploit or active exploitation confirmed, but CVSS 8.8 (AV:N/AC:L/PR:L) indicates authenticated remote attackers with low-privilege model access can achieve full config compromise.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-45005 npm MEDIUM PATCH This Month

OpenClaw before 2026.4.23 fails to invalidate cached webhook route secrets after rotation, allowing attackers with previously valid secrets to continue authenticating webhook requests and invoking task flows until gateway restart. The vulnerability affects SecretRef-backed webhook authentication where the resolved secret is cached at startup rather than re-resolved per request, weakening credential rotation effectiveness. Vendor-released patch available in version 2026.4.23.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-45004 npm HIGH PATCH GHSA This Week

Arbitrary code execution in OpenClaw via CWD-based setup-api.js injection allows local attackers to run malicious JavaScript when users execute OpenClaw commands from attacker-controlled directories. Affects all OpenClaw versions before 2026.4.23. Vendor-released patch available in version 2026.4.23. Exploitation requires user interaction (running OpenClaw commands from a malicious repository) but no authentication. CVSS 7.8 reflects local attack vector with user interaction requirement, mitigating remote exploitation risk.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-45002 npm MEDIUM PATCH This Month

OpenClaw before 2026.4.20 allows attackers to bypass the hooks.allowRequestSessionKey opt-in restriction via template-rendered session keys in hook mappings, circumventing webhook routing isolation controls. The vulnerability enables externally influenced session keys to be rendered through templated hook mappings even when the opt-in is disabled, affecting webhook routing isolation but not enabling host execution. Vendor-released patch available (version 2026.4.20); no public exploit code identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-45001 npm MEDIUM PATCH This Month

Prompt-injected AI models can escalate privileges and persist unauthorized configuration changes in OpenClaw gateway before version 2026.4.20 via insufficient authorization guards on agent-facing config.patch and config.apply endpoints. Authenticated attackers (PR:L) with model tool access can disable sandbox policies, enable malicious plugins, modify TLS/authentication settings, alter SSRF protections, reconfigure MCP servers, and weaken filesystem hardening-effectively bypassing operator-enforced security boundaries. Vendor-released patch available in version 2026.4.20. No evidence of active exploitation; EPSS data not available for this recently disclosed vulnerability.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-45000 npm LOW PATCH Monitor

Server-side request forgery in OpenClaw before version 2026.4.20 allows authenticated attackers to bypass strict-mode SSRF policy checks during browser CDP profile creation by storing profiles pointing to private-network or metadata endpoints, which are later probed during normal profile status operations. The vulnerability affects only strict-mode deployments that explicitly restrict private-network CDP targets; default configurations allow private-network endpoints and are not vulnerable. Vendor-released patch: 2026.4.20.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44999 npm MEDIUM PATCH This Month

OpenClaw before version 2026.4.20 fails to preserve untrusted labels on webhook-triggered cron agent output, allowing events to be recorded as trusted system events instead of untrusted events. This trust-labeling issue can strengthen prompt-injection attacks by rendering attacker-controlled webhook data as legitimate system events, though it does not directly bypass authentication, tool policy, or sandboxing controls.

Code Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-44998 npm LOW PATCH Monitor

OpenClaw before version 2026.4.20 allows authenticated local agents to bypass tool policy restrictions by appending bundled MCP and LSP tools to the effective tool set after policy filtering has completed. Attackers with local agent access can circumvent profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies, potentially gaining unauthorized access to restricted tools. This vulnerability requires a configured bundled tool source and an operator-defined restrictive policy; no active exploitation has been identified.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44997 npm LOW PATCH Monitor

OpenClaw before 2026.4.22 fails to propagate security envelope constraints when spawning ACP child sessions, allowing authenticated restricted subagents to bypass depth limits, child-count restrictions, control scope, and target-agent constraints. An attacker with subagent privileges can exploit this by spawning child sessions that inherit insufficient security enforcement, potentially escalating privileges or accessing resources beyond their assigned scope.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44996 npm MEDIUM PATCH This Month

OpenClaw before version 2026.4.15 allows arbitrary local file read via the webchat audio embedding helper, which fails to enforce local media root containment checks. Attackers who can influence agent or tool-produced ReplyPayload.mediaUrl parameters can resolve absolute local paths or file:// URLs, read audio-like files, and embed them base64-encoded into webchat responses. The vulnerability is narrow in scope-files must be readable by the gateway process, have audio-like extensions, and fit within the webchat audio size cap-but crosses the security boundary between model/tool output and host filesystem access. No public exploit code or active exploitation has been identified, though the vulnerability is confirmed by vendor advisory.

Path Traversal Openclaw
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw before 2026.6.1 lets a lower-trust authenticated caller abuse Git 'ext' transport through incomplete host-exec environment filtering to execute or persist actions beyond their intended privileges. VulnCheck reported and characterizes it as an authentication bypass via Git ext transport, and a GitHub Security Advisory (GHSA-9969-8g9h-rxwm) is published; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 4.0 base score of 8.7 reflects high confidentiality, integrity, and availability impact reachable over the network with only low privileges.

Information Disclosure Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw before 2026.6.6 lets a low-privileged caller inject crafted interpreter startup environment variables through the host exec feature, executing or persisting actions beyond their intended authorization. The flaw stems from incomplete environment-variable filtering (CWE-184) that overlooks interpreter startup variables, and per its CVSS 4.0 vector (VC:H/VI:H/VA:H) yields high confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis; the issue is reported by VulnCheck and fixed in 2026.6.6.

Information Disclosure Openclaw
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in OpenClaw's native web search component allows authenticated lower-trust callers to invoke operations normally gated behind stronger policy checks. Versions 2026.5.28 through 2026.6.5 are affected, with exploitation requiring crafted input paths targeting misconfigured authorization logic - no special tooling needed given the low attack complexity. No public exploit code or CISA KEV listing exists at time of analysis, but the network-reachable attack surface and low complexity reduce the barrier for abuse by compromised or malicious low-privilege accounts.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM This Month

OpenClaw's browser CDP (Chrome DevTools Protocol) discovery component fails to enforce its own URL blocklist, allowing lower-trust authenticated users to reach network destinations that OpenClaw policy should have denied access to. The root cause is a Server-Side Request Forgery variant (CWE-918) where blocked WebSocket URLs submitted through CDP discovery are accepted and proxied without policy enforcement. The CVSS 4.0 vector (SC:H/SI:L) confirms the primary impact lands on downstream or segmented network resources - not OpenClaw itself - making this a network segmentation bypass rather than a direct system compromise. No public exploit code or CISA KEV listing has been identified at time of analysis.

SSRF Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw (versions 2026.3.22 up to but not including 2026.6.6) lets a lower-trust WhatsApp sender satisfy elevated sender allowlists because WhatsApp group IDs are accepted as if they were privileged individual sender identities. An authenticated but low-privilege attacker can therefore invoke actions gated behind stronger authorization, effectively escalating privilege within the messaging integration. Reported by VulnCheck with a CVSS 4.0 base score of 8.7 (high); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw 2026.5.20 through 2026.6.5 lets a low-privilege caller invoke owner-only tools through the MCP loopback feature, escalating beyond intended permissions to execute or persist privileged actions. The flaw stems from incorrect permission enforcement (CWE-732) on configured input paths reachable over the network. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Privilege escalation in OpenClaw 2026.5.20 through 2026.6.8 lets an already-authenticated, lower-trust caller abuse the plugin install command path to execute or persist actions beyond their intended authorization. The root cause is an incorrect permission assignment (CWE-732) on plugin installation, and the CVSS 4.0 vector (PR:L, UI:N, AV:N) shows a low-privileged remote actor can achieve high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the CVE is not in CISA KEV, but a GitHub Security Advisory (GHSA-7vrr-rp4x-4g76) and a VulnCheck advisory document it.

Privilege Escalation Openclaw
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Authorization bypass in OpenClaw's plugin install wrappers (versions 2026.6.5 through 2026.6.8) allows a lower-trust authenticated caller to skip the install policy check, executing or persisting plugin actions beyond their intended authorization scope. The impact is bounded by operator configuration - deployments where the plugin install feature is disabled or unreachable are not affected. No public exploit code has been identified and the vulnerability does not appear in CISA KEV; vendor-released fix is available in version 2026.6.9.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Privilege-boundary bypass in OpenClaw's Discord guild-action handling (versions 2026.6.6 up to but not including 2026.6.9) lets a low-privilege authenticated caller invoke operations that should require stronger authorization. By abusing misconfigured input paths, the attacker skips the cross-provider requester authorization step and executes restricted guild operations. No public exploit identified at time of analysis; the CVSS 4.0 score of 7.2 reflects high integrity and availability impact with no confidentiality exposure.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Privilege escalation via authorization bypass in OpenClaw 2026.6.6 through 2026.6.8 allows a low-privileged, authenticated caller to invoke message-mutation operations that should require stronger authorization, letting them execute privileged actions. The flaw is a missing authorization check (CWE-862) on mutation input paths and requires the affected feature to be enabled and reachable. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw before 2026.6.9 lets a lower-trust caller escape the exec-approval trust boundary through the flock wrapper, executing or persisting privileged actions the caller was never authorized to perform. The CVSS 4.0 vector (PR:L) indicates an authenticated but low-privilege actor can achieve high confidentiality, integrity, and availability impact when the affected feature is enabled. Reported by VulnCheck with a vendor GitHub Security Advisory (GHSA-3fp5-v549-9v66); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Authorization bypass via symlink following in OpenClaw's mirror sync feature (versions before 2026.6.9) lets a lower-privilege caller escalate into actions that should require stronger authorization. By planting or referencing symlink parents on a remote mirror target, an authenticated attacker can trick the sync logic into resolving links that cross policy and trust boundaries, yielding high confidentiality and integrity impact. There is no public exploit identified at time of analysis and no CISA KEV listing; no EPSS score was supplied.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Privilege escalation in OpenClaw before 2026.6.8 lets a lower-trust, already-authenticated caller invoke admin-restricted operations by abusing OpenAI-compatible HTTP model-override input paths, bypassing the authorization checks that should gate those actions. The flaw was reported by VulnCheck and stems from missing authorization (CWE-862) on override-driven request handling. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Credential exposure in OpenClaw before 2026.5.28 lets a lower-trust actor who can write to a workspace's configured input paths plant a dotenv file that overrides trusted provider credentials, causing sensitive secrets to leak across intended trust boundaries. VulnCheck reported the issue and it is fixed in 2026.5.28; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The vendor CVSS 4.0 base score is 8.4 (High), reflecting high confidentiality and integrity impact but requiring local path access and user interaction.

Information Disclosure Openclaw
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Allowlist bypass in OpenClaw versions prior to 2026.5.12 allows authenticated operators to execute unapproved shell commands by routing requests through inline-command parser cases that skip the expected allowlist enforcement. The flaw, reported by VulnCheck and tracked under GHSA-f397-5vjw-v2c2, effectively neutralizes the operator-approval boundary in OpenClaw's shell command path. No public exploit identified at time of analysis, and the CVSS 4.0 score of 7.6 reflects high confidentiality and integrity impact with a present attack requirement.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

Untrusted search path execution in OpenClaw before 2026.5.2 allows a local low-privileged user to coerce maintenance task routines into invoking attacker-controlled executables in place of the intended trash command. By manipulating workspace-derived environment paths consumed during maintenance operations, an authenticated user can hijack command resolution and run arbitrary binaries in the OpenClaw process context. No public exploit identified at time of analysis, but VulnCheck has published a dedicated advisory describing the workspace-derived service path abuse.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Environment variable sanitization weakness in OpenClaw prior to 2026.5.26 lets attackers smuggle Node.js control variables (such as NODE_OPTIONS) past the host environment sanitizer, enabling them to influence child-process behavior and coverage output paths. Affected attackers must have write access to workspace .env files, tool environment overrides, or skill environment blocks, and no public exploit is identified at time of analysis. The flaw was reported by VulnCheck and is tracked under CWE-184 (Incomplete List of Disallowed Inputs).

Authentication Bypass Node.js Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw versions before 2026.4.25 expose an authorization bypass via unvalidated user-controlled group IDs in the tool group policy resolver, enabling authenticated low-privilege network attackers to manipulate access-control decisions for tool invocations. The CVSS 4.0 vector assigns VI:H (High integrity impact on the vulnerable system), reflecting that successful exploitation can cause the policy engine to grant or deny tool permissions contrary to the intended configuration. No public exploit code has been identified at time of analysis, and the CVSS 4.0 AT:P metric indicates a specific attack requirement limits opportunistic mass exploitation.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Bootstrap token replay in OpenClaw before version 2026.5.12 permits callers holding a pending bootstrap token to resubmit that token with a broader scope than originally requested, bypassing intended pairing authority limits. The flaw, rooted in incorrect privilege assignment (CWE-266), exploits the gap between token issuance and administrative approval to escalate pairing access. No public exploit code has been identified and the vulnerability carries a CVSS 4.0 score of 2.3, reflecting significant mitigating factors including high attack complexity, a required target precondition, and passive user interaction - making this a low real-world priority outside environments with high-value pairing workflows.

Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenClaw's macOS Swift exec feature fails to correctly evaluate combined POSIX inline-command flags against its configured command allowlist, enabling a local low-privileged attacker to execute shell content that should be blocked. Affected versions are all OpenClaw releases before 2026.5.6 on macOS. Exploitation depends on an operator-configured allowlist being in place - when that allowlist is configured, a local user can bypass it entirely by using combined flag forms (e.g., `-abc` instead of `-a -b -c`), achieving high confidentiality and integrity impact. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Apple Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Sender policy bypass in OpenClaw's BlueBubbles integration before version 2026.5.7 allows low-privileged conversation participants to impersonate allowlisted senders by manipulating conversation-level metadata rather than being validated against stable sender identity. An attacker who is already a participant in a conversation can craft or influence mutable conversation identifiers to match configured allowlist entries, causing the agent to respond to them as if they were an authorized sender and circumventing access controls. No public exploit code or active exploitation has been identified at time of analysis; the low CVSS score (2.3) and high attack complexity reflect real-world constraints.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Hostname blocklist bypass in OpenClaw before 2026.5.26 enables authenticated attackers to reach operator-restricted network destinations by supplying trailing-dot notation in model- or workspace-derived URLs. The comparison logic evaluating hostnames against blocklist policies does not normalize fully qualified domain name (FQDN) trailing dots before evaluation, while DNS resolvers treat `blocked.example.com.` and `blocked.example.com` as identical targets. With confidentiality impact rated High by CVSS 4.0 and no public exploit or KEV listing identified at time of analysis, risk is real but bounded to deployments with active blocklist policies and users who control URL parameters.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH POC PATCH This Week

Untrusted search path in OpenClaw before 2026.5.2 allows local attackers who can influence a workspace .env file to redirect bundled runtime dependency loading to attacker-controlled paths, resulting in arbitrary code execution during dependency resolution. The STATE_DIRECTORY environment variable is not validated before being used to anchor runtime dependency roots, so a poisoned workspace can execute code in the context of a user who opens it. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Code Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Authentication bypass in OpenClaw before 2026.5.3 allows remote attackers with low privileges to receive agent responses intended for other Zalo identities by manipulating their mutable display name to match allowFrom policy entries. The flaw stems from policy enforcement relying on mutable display metadata rather than immutable identifiers, and no public exploit has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM POC PATCH This Month

OpenClaw before 2026.4.24 exposes sensitive configuration data to other local users on shared hosts due to insecure file permissions set during the config recovery process. When recovery restores OpenClaw.json, the resulting file is created with overly broad permissions, allowing any low-privileged local user to read its contents. No public exploit has been identified at time of analysis, but exploitation requires only a low-privilege local account and a shared-host environment where the recovery path has been exercised.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Allowlist bypass in OpenClaw before 2026.4.2 lets authenticated operators smuggle inline-eval content through shell positional parameters, defeating the strict allowlist that is meant to constrain which tools and content the shell carrier executes. Successful abuse yields execution of unapproved shell-provided content with high confidentiality and integrity impact, and no public exploit has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Privilege escalation in OpenClaw before 2026.4.25 allows authenticated low-privileged users to inherit wildcard ownerAllowFrom authorization state across channel boundaries, enabling execution of owner-level commands outside their intended channel scope on both internal and webchat command paths. The flaw (CWE-863) produces high integrity impact (VI:H per CVSS 4.0) without confidentiality or availability consequences, as the attacker gains unauthorized administrative command execution rather than data access. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the CVSS 4.0 score of 6.0 reflects meaningful but condition-dependent risk.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

Allowlist bypass in OpenClaw before 2026.5.12 lets authenticated attackers invoke approved executables with arbitrary arguments on Linux and macOS, defeating the argPattern restrictions intended to constrain each binary's permitted invocations. The flaw enables disallowed file access, network access, or command execution under the privileges of the OpenClaw exec subsystem, with no public exploit identified at time of analysis.

Authentication Bypass Apple Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW POC PATCH Monitor

Scope containment bypass in OpenClaw before 2026.4.25 allows authenticated operators to recover broader device access than their current authorization permits by exploiting a missing validation path in the device re-pairing flow. By sending re-pairing requests with empty scope sets, an operator can silently skip containment guards and retain or restore access to devices outside their assigned scope boundaries - an especially significant risk in multi-tenant or shared-operator deployments. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before 2026.5.12 fails to enforce its own notification filter for Slack reaction events, allowing those events to bypass a disabled-notification setting and reach the agent processing pipeline (CWE-862: Missing Authorization). Any user with Slack workspace access can send reaction events to channels monitored by OpenClaw, triggering unintended agent execution with lower-trust input even when administrators have explicitly disabled reaction notifications. No public exploit code exists and no active exploitation has been confirmed at time of analysis; the CVSS 4.0 score of 6.3 reflects a moderate-severity, narrow-impact integrity issue.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

OpenClaw before version 2026.4.25 permits authenticated local callers to invoke the focus command without passing proper authorization checks, enabling control scope enforcement bypass (CWE-862: Missing Authorization). Any low-privileged local user can alter focus state outside their intended caller authority, with downstream impact varying by gateway configuration and input trust levels. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Privilege escalation in OpenClaw before 2026.5.7 allows any user with a Discord account to assume the identity of a privileged Discord user authorized in the agent's allowFrom policy by simply renaming their account, because the access-control check matches on mutable display names rather than immutable Discord user IDs (snowflakes). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but exploitation is trivial for anyone who can read the target policy.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.5.26 exposes an exec allowlist bypass that lets authenticated operators with low privileges invoke unintended side effects through transparent command wrappers that circumvent allowlist validation at the wrapper layer. The root cause is CWE-184 (Incomplete List of Disallowed Inputs), where allowlist checks succeed at the surface request level but fail to constrain behavior triggered deeper in the wrapper execution path, yielding a limited but confirmed integrity impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects the constrained scope: exploitation requires authenticated operator access plus a specific attack target precondition.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Privilege escalation in OpenClaw before 2026.5.6 allows authenticated Gateway operators holding operator.write access to modify global configuration that should be restricted exclusively to operator.admin privileges. The root cause (CWE-266: Incorrect Privilege Assignment) lies in insufficient scope validation within the Active Memory write scope, which fails to enforce the boundary between the write and admin privilege tiers. No public exploit has been identified at time of analysis; however, the network-accessible attack vector (AV:N, PR:L) means any authenticated operator-level account across the deployment is a viable exploitation path with low attack complexity.

Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH POC PATCH This Week

Untrusted search path in OpenClaw versions prior to 2026.4.29 lets workspace-local .env files override the npm_execpath variable consulted by the install helper, redirecting bundled dependency installation to an attacker-controlled package-manager binary. An attacker who can place files in the workspace can hijack the runtime dependency setup step to compromise the build environment under the developer's identity, with no public exploit identified at time of analysis.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Hook-based policy enforcement bypass in OpenClaw before 2026.5.6 allows authenticated low-privilege network attackers to route skill commands through a specific vulnerable dispatch path, causing before-tool-call hooks to be skipped entirely. This silently circumvents audit logging and policy enforcement mechanisms that defenders rely on to detect and govern tool invocation behavior within the framework. No public exploit code has been identified at time of analysis, and CVSS 4.0 rates this at 2.3 (Low) with specific attack requirements (AT:P), limiting real-world risk primarily to environments that actively depend on hook-based security controls.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

Session visibility check bypass in OpenClaw's shared memory search component allows authenticated low-privileged users to retrieve memory entries belonging to other sessions without proper authorization. All OpenClaw versions prior to 2026.4.29 are affected; the flaw (CWE-862, Missing Authorization) exists because the session visibility guard is not enforced on the shared memory search code path, yielding a high confidentiality impact against multi-session deployments. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 score of 6.0 with VC:H signals meaningful data exposure risk for any environment where multiple users or sessions operate concurrently.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authorization bypass in OpenClaw before 2026.5.26 allows an attacker with a previously paired device to re-establish WebSocket node-level authority after the session has been revoked, effectively defeating the revocation control. The flaw stems from a surviving pairing-scoped device session that can mint new node tokens without renewed approval, letting authenticated attackers retain unauthorized node-level access longer than intended. No public exploit identified at time of analysis, but the issue is acknowledged in a GitHub Security Advisory (GHSA-q99w-vh6v-q3v7) and a VulnCheck advisory.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Arbitrary Python runtime execution in OpenClaw before 2026.5.2 lets an attacker with write access to the workspace plant a malicious .env file that overrides the CLOUDSDK_PYTHON variable used during Gmail setup, redirecting gcloud invocations to an attacker-controlled Python interpreter and leading to code execution. The CVSS 4.0 vector (AV:L/AT:P/UI:A) confirms the attack is local, requires a specific attack condition, and depends on a user/operator action - no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Python RCE Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored cross-site scripting in OpenClaw's session HTML export feature allows unsafe javascript: and data: URI schemes to survive into generated output files. All OpenClaw versions before 2026.5.12 are affected; exploitation requires a trusted operator to open an exported session HTML file and actively click a crafted link, at which point arbitrary JavaScript executes in their browser context. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 2.1 reflects the narrow attack prerequisites and limited subsequent-system impact.

XSS Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

OpenClaw's streamable-http MCP server implementation leaks operator-configured custom headers to attacker-controlled origins during cross-origin HTTP redirects. All OpenClaw versions before 2026.5.12 are affected, and any deployment that places sensitive values - API keys, tenant-routing credentials, or bearer tokens - in operator-configured custom headers is exposed. An attacker who controls or has compromised an MCP endpoint can trigger a cross-origin redirect, causing OpenClaw to forward those headers to an origin the attacker controls, resulting in credential theft. No public exploit has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

Information Disclosure Openclaw
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw's retry endpoint authentication check performs hostname prefix matching instead of exact hostname comparison, enabling an authenticated attacker to redirect sensitive authentication material to an attacker-controlled endpoint. All versions before 2026.5.7 are affected per CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*. The CVSS 4.0 vector scores this at 6.0 with high confidentiality impact (VC:H) and a specific attack prerequisite (AT:P); no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

State mutation in OpenClaw's node pairing reconnection logic allows a low-privilege paired node to escalate its effective authority by confusing the approval scope engine, potentially bypassing access restrictions within the system. Affected versions are all OpenClaw releases before 2026.5.27, as identified by CPE cpe:2.3:a:openclaw:openclaw. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, but the integrity impact is rated High given an attacker can restore or inflate node authority beyond what was originally sanctioned.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Improper access control in OpenClaw's Mattermost event handler integration allows remote unauthenticated attackers to bypass direct message (DM) policy enforcement by submitting crafted Mattermost events that deliberately omit channel type metadata. All OpenClaw versions prior to 2026.5.6 are affected. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible and unauthenticated nature of the flaw (PR:N per CVSS 4.0) makes it actionable for deployments that rely on DM policies as a meaningful access control boundary.

Authentication Bypass Mattermost Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote code execution in OpenClaw before 2026.5.12 allows authenticated operators to bypass the PowerShell execution allowlist by submitting encoded-command flag aliases (abbreviated forms) that the allowlist parser fails to recognize. The flaw enables execution of arbitrary PowerShell payloads with full confidentiality, integrity, and availability impact on the host. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

RCE Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Configuration enforcement bypass in OpenClaw's Feishu dynamic-agent binding subsystem permits authenticated senders to create or update sender-agent bindings while circumventing configured config-write access controls. All OpenClaw versions prior to 2026.5.6 are affected; an attacker holding valid sender credentials can modify binding state beyond intended policy, potentially redirecting or hijacking agent associations belonging to other users. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.3 reflects the narrow impact scope and prerequisite deployment conditions.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Authorization bypass in OpenClaw's QQBot component before version 2026.4.27 allows authenticated senders to invoke slash commands before allowFrom policy checks execute, effectively skipping operator-configured access controls. The flaw stems from pre-dispatch command handling that runs prior to policy enforcement, enabling blocked senders to trigger command handlers depending on deployment configuration. No public exploit identified at time of analysis, and CVSS 4.0 scoring of 8.2 reflects high integrity impact with an attack requirement (AT:P) suggesting non-trivial conditions.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Identity header forgery in OpenClaw before 2026.5.18 allows local same-host callers with access to the proxy-facing Gateway port to spoof trusted-proxy identity headers and assume operator identity. The flaw stems from missing validation of headers normally set by an upstream trusted proxy, enabling privilege escalation when the Gateway port is reachable locally. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Information disclosure in OpenClaw before 2026.5.18 lets authenticated operators abuse shell metacharacter expansion within the system.run safe-bin allowlist to read unintended node-local files on POSIX nodes and exfiltrate sensitive configuration data. The flaw bypasses command-policy enforcement because the allowlist validates a literal command string while the underlying shell re-interprets it at execution time. No public exploit identified at time of analysis.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Webhook secret revocation bypass in OpenClaw before 2026.4.22 allows callers possessing previously-issued Slack and Zalo webhook secrets to continue submitting accepted events after an operator invokes the secrets.reload function. The stale-secret acceptance window undermines the integrity guarantees of secret rotation, enabling unauthorized webhook payload injection into what operators believe is a secured endpoint. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the integrity impact is rated high per the CVSS 4.0 vector.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Command approval bypass in OpenClaw versions prior to 2026.5.18 allows authenticated users to smuggle malicious instructions past human approvers by exploiting how the approval UI truncates oversized exec commands. The flaw (CWE-451, UI misrepresentation) lets an attacker craft a request with a benign-looking prefix while a malicious suffix is hidden from the reviewer's display, resulting in unauthorized execution once the request is approved. No public exploit identified at time of analysis and the CVE is not currently listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authorization bypass in OpenClaw before 2026.5.6 allows authenticated senders to invoke owner-only native commands without satisfying the configured owner-command policy. Any user with valid credentials can therefore execute privileged operations reserved for the resource owner, undermining the access control model. No public exploit identified at time of analysis, but a GitHub Security Advisory (GHSA-p73f-w79w-jqr5) and a VulnCheck advisory document the flaw.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Credential exposure via SSRF in OpenClaw's message.action forwarding allows authenticated remote attackers to redirect Gateway token-bearing action payloads to attacker-supplied loopback URLs, resulting in full confidentiality compromise of Gateway credentials. Affected versions are all OpenClaw releases prior to 2026.5.2; the flaw is rooted in insufficient validation of model-controlled metadata that governs action routing. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the Gateway credential theft impact warrants prompt patching in any deployment where OpenClaw interacts with privileged backend services.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Information disclosure in OpenClaw before 2026.4.26 leaks the real host workspace path through sandboxed session spawning, exposing filesystem location and potentially related memory context to child AI model prompts. Authenticated users with low-privilege access can trigger this by spawning child sessions from sandboxed parent sessions, undermining the isolation guarantees of the sandbox environment. With a CVSS 4.0 score of 2.3, no public exploit code, and no CISA KEV listing, this is a low-severity but architecturally meaningful sandbox escape of information relevant to AI agent deployments.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Arbitrary local file read in OpenClaw before 2026.4.7 lets authenticated Gateway operators holding the operator.write scope coerce the memory-wiki ingest feature into importing the contents of arbitrary local files. The flaw, reported by VulnCheck and tracked as GHSA-p2fh-f5fc-44hr, enables disclosure of sensitive host files (credentials, config, secrets) into wiki memory, but no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw before version 2026.4.24 permits users whose slash command tokens have been explicitly revoked to continue issuing slash commands during the active monitor refresh window, violating the expected access boundary. The flaw stems from a revocation propagation lag: the token invalidation state is not synchronously enforced but instead depends on a periodic monitor cycle, allowing a briefly stale authorization check to pass. No public exploit code and no CISA KEV listing have been identified at time of analysis; real-world impact depends heavily on the duration of the monitor refresh interval and the sensitivity of slash commands exposed by the operator.

Microsoft Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.3 allows attackers with access to a Slack account to spoof identity by changing their mutable Slack display name to match an allowFrom policy entry, gaining agent access intended for another user. The root cause is authentication binding to a mutable identifier (CWE-290) rather than a stable Slack user ID. No public exploit identified at time of analysis, though an upstream advisory (GHSA-c29c-2q9c-pc86) and VulnCheck writeup describe the flaw in detail.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Command injection in OpenClaw before 2026.5.18 allows authenticated attackers to modify shell wrapper argv between approval and execution, bypassing the allowlist enforcement. The TOCTOU-style race against the approval gate lets attackers execute unapproved command shapes with the application's privileges, with no public exploit identified at time of analysis but a vendor advisory published via GHSA.

Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.18 allows WebSocket-connected Control UI clients to claim operator.admin scope without server-side validation against pairing or trusted-proxy authorization state. Attackers with low-privileged WebSocket access can invoke admin-gated Gateway RPCs, and no public exploit identified at time of analysis despite CVSS 4.0 score of 8.7.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

OpenClaw's bundled MCP loopback session-spawn path fails to enforce its exec denylist, allowing authenticated low-privilege callers to execute commands that should be restricted. Affected versions are all OpenClaw releases prior to 2026.5.12. An attacker with local, authenticated access can spawn MCP sessions through the loopback path to gain command reach exceeding their authorized scope, resulting in high integrity impact on the vulnerable system. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Arbitrary code execution in OpenClaw before 2026.5.27 lets attackers hijack the Homebrew executable resolved during skill installation by planting a workspace-level .env file that overrides the trusted Homebrew path. The flaw, classified as CWE-426 (Untrusted Search Path), enables full system compromise when an operator installs a tampered skill. There is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

RCE Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Authorization bypass in OpenClaw before 2026.4.24 allows local, low-privileged callers to circumvent owner-only tool policies and before-tool-call hooks via the MCP loopback feature. By routing requests through the affected loopback path, a non-owner principal can invoke tools that should be restricted to the owner role, effectively escalating effective privileges within the application. No public exploit code has been identified at time of analysis, but a vendor patch has been released and the vulnerability was reported by VulnCheck.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in OpenClaw before 2026.5.22 allows authenticated network attackers to spoof locality information during Control UI device pairing and escalate temporary shared access into durable, admin-capable device tokens that persist across token rotation. The flaw stems from insufficient locality-derived trust validation (CWE-290), enabling lateral conversion of low-privilege sessions into persistent administrative credentials. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authorization bypass in OpenClaw before 2026.5.18 allows a paired node to forge exec lifecycle events and obtain capabilities reserved for nodes holding system.run authorization. By sending crafted node.event messages, an attacker controlling any peered node can steer gateway sessions into exec-event paths and execute privileged operations, with no public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in OpenClaw before 2026.5.19 allows authenticated lower-trust users to read messages from channels outside their allowlist by abusing missing validation in message read actions. The flaw maps to CWE-862 (Missing Authorization) and carries a CVSS 4.0 score of 7.1 with high confidentiality impact; no public exploit identified at time of analysis, but a vendor patch is available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.20 allows attackers holding a valid hook token to invoke owner-only MCP tools through the /hooks/agent endpoint, because hook-triggered agent runs are incorrectly granted owner-scoped MCP loopback authority. Successful exploitation lets a low-privileged hook caller execute privileged actions such as modifying persistent cron state, with no public exploit identified at time of analysis.

Privilege Escalation Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Path traversal in OpenClaw before version 2026.4.25 allows attackers with workspace access to manipulate local package root resolution and load memory-core artifacts from attacker-controlled locations, leading to arbitrary code execution or sensitive data disclosure. The flaw stems from workspace state influencing artifact resolution paths (CWE-427, Uncontrolled Search Path Element). No public exploit identified at time of analysis, though VulnCheck has published a dedicated advisory describing the fake package root resolution technique.

Path Traversal Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Server-side request forgery in OpenClaw's Playwright-backed browser control allows authenticated low-privilege users to circumvent private-network navigation guards by chaining action-triggered redirects through the Playwright act interaction mechanism. All OpenClaw versions prior to 2026.5.18 are affected, and subsequent browser evaluation APIs can be abused to read the content of private-network pages - including internal services, admin panels, or cloud metadata endpoints reachable from the server. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the subsequent-system confidentiality impact is rated High in the CVSS 4.0 vector, reflecting meaningful data-disclosure potential in cloud-hosted or internally networked deployments.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Privilege escalation in OpenClaw before 2026.5.7 allows authenticated Matrix users to impersonate other identities by manipulating their mutable display name to match policy entries in the allowFrom feature. The flaw stems from authentication relying on a user-controlled attribute (CWE-290), letting attackers receive agent access intended for another Matrix identity. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Arbitrary code execution in OpenClaw before 2026.5.18 allows operators with trusted marketplace access to redirect extension loading to unscanned package payloads, bypassing the platform's security scanning controls. The flaw stems from improper validation of runtime extension metadata (CWE-829), and while no public exploit has been identified at time of analysis, a vendor patch is available via GHSA-v6r2-jh58-xx6w and VulnCheck has tagged it as RCE.

RCE Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

OpenClaw's embedded runner policy incorrectly resolves provider aliases against other aliases rather than their canonical provider identities, enabling an authenticated local user to bypass intended provider policy restrictions. When the affected provider alias feature is active, a low-privileged attacker can select bundled tool access that falls outside the scope their policy should permit, effectively sidestepping the authorization boundary. No public exploit has been identified and no active exploitation is confirmed via CISA KEV; the local attack vector and required feature enablement materially limit real-world exposure.

Canonical Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Approval policy bypass in OpenClaw's Skill Workshop apply flow allows remote attackers to apply workshop configuration changes without completing the required authorization step. Versions prior to 2026.5.6 fail to enforce the `approvalPolicy: pending` gate when agent tool calls include `apply: true`, effectively granting unauthorized write access to skill configurations. No public exploit code has been identified at time of analysis; a vendor-released patch is available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authorization bypass in OpenClaw prior to 2026.5.6 allows authenticated Telegram users to circumvent the commands.allowFrom sender allowlist by invoking interactive callbacks that mark the caller as authorized before validation runs. Reported by VulnCheck with a vendor patch available, this CWE-863 flaw lets attackers execute restricted command behaviors outside configured Telegram sender restrictions, though no public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Command execution bypass in OpenClaw before 2026.5.12 lets low-privileged remote users smuggle inline shell content past exec allowlist revalidation by combining POSIX shell flags into a single argument. The flaw exists because parsing logic treats grouped option characters differently from discrete flags, enabling unintended command paths when the affected exec feature is enabled. No public exploit identified at time of analysis, but the issue was reported by VulnCheck and a vendor advisory plus patch are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Scope bypass in OpenClaw versions prior to 2026.5.18 allows authenticated clients holding only the operator.write scope to invoke privileged Gateway commands via the chat.send route, escalating from limited operator access to full administrative control. Exploitation lets remote attackers mutate plugins, configuration, MCP settings, allowlists, and ACP rules that should require operator.approvals or operator.admin scopes. No public exploit has been identified at time of analysis, but the CVSS 4.0 base score of 8.7 (high) and low attack complexity make this a serious privilege-escalation issue for any multi-tenant or delegated OpenClaw deployment.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

SSRF policy bypass in OpenClaw before 2026.4.29 enables authenticated low-privileged attackers to circumvent private-network SSRF protections via browser debug and export routes. The flaw (CWE-863, Incorrect Authorization) allows an attacker who already holds valid credentials to reuse previously blocked browser tabs, causing the application to export or inspect content from protected internal resources that the SSRF policy was intended to restrict. No public exploit has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis, though the high confidentiality impact on the vulnerable component (VC:H in CVSS 4.0) warrants prompt patching for internet-exposed instances.

SSRF Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authorization bypass in OpenClaw QQBot before 2026.5.18 allows non-approver users to resolve pending exec and plugin approval requests by clicking native approval buttons, because the configured approver identity is not enforced server-side. The flaw collapses a core access-control gate around command and plugin execution workflows, and no public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-mgq6-vr84-7m2j and VulnCheck advisory provide enough detail to reproduce.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Policy bypass in OpenClaw's QQBot admin command handling allows authenticated low-privilege network users to circumvent DM-only and allowFrom authorization checks, routing restricted admin commands from unauthorized senders or contexts. Affected versions are all OpenClaw releases prior to 2026.4.29. The CVSS 4.0 score of 2.3 reflects limited confidentiality and integrity impact with no availability impact, and no public exploit has been identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Privilege escalation in OpenClaw's Slack plugin approval workflow allows authenticated users holding limited exec permissions to bypass operator-configured approval splits by resolving plugin approvals through the exec approver gate - approving actions outside their intended authorization boundary. All OpenClaw versions before 2026.5.12 are affected when the Slack plugin is deployed with approval split configurations. No public exploit code has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 2.3 accurately reflects its narrow real-world impact, constrained by prerequisites and a low impact ceiling.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authorization bypass in OpenClaw versions before 2026.5.4 allows authenticated chat command users who are not device owners to issue device-pairing bootstrap codes through the bundled device-pair plugin. Exploitation enables an attacker with low-privilege chat access to enroll arbitrary devices with operator or node capabilities, establishing persistent credentials that survive until manual revocation. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Compromised AI models running with access to OpenClaw's gateway tool can persist malicious configuration changes affecting command execution, network endpoints, credentials, and security policies by exploiting an incomplete denylist that failed to protect newly added config paths. The vulnerability allows model-driven writes to sensitive config subtrees (command execution safeguards, proxy/TLS settings, telemetry hooks, operator policies) that survive restart, enabling persistent control beyond the intended model-to-operator trust boundary. Patch available in OpenClaw 2026.4.23 with fail-closed allowlist enforcement. No public exploit or active exploitation confirmed, but CVSS 8.8 (AV:N/AC:L/PR:L) indicates authenticated remote attackers with low-privilege model access can achieve full config compromise.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

OpenClaw before 2026.4.23 fails to invalidate cached webhook route secrets after rotation, allowing attackers with previously valid secrets to continue authenticating webhook requests and invoking task flows until gateway restart. The vulnerability affects SecretRef-backed webhook authentication where the resolved secret is cached at startup rather than re-resolved per request, weakening credential rotation effectiveness. Vendor-released patch available in version 2026.4.23.

Information Disclosure Openclaw
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Arbitrary code execution in OpenClaw via CWD-based setup-api.js injection allows local attackers to run malicious JavaScript when users execute OpenClaw commands from attacker-controlled directories. Affects all OpenClaw versions before 2026.4.23. Vendor-released patch available in version 2026.4.23. Exploitation requires user interaction (running OpenClaw commands from a malicious repository) but no authentication. CVSS 7.8 reflects local attack vector with user interaction requirement, mitigating remote exploitation risk.

RCE Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before 2026.4.20 allows attackers to bypass the hooks.allowRequestSessionKey opt-in restriction via template-rendered session keys in hook mappings, circumventing webhook routing isolation controls. The vulnerability enables externally influenced session keys to be rendered through templated hook mappings even when the opt-in is disabled, affecting webhook routing isolation but not enabling host execution. Vendor-released patch available (version 2026.4.20); no public exploit code identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Prompt-injected AI models can escalate privileges and persist unauthorized configuration changes in OpenClaw gateway before version 2026.4.20 via insufficient authorization guards on agent-facing config.patch and config.apply endpoints. Authenticated attackers (PR:L) with model tool access can disable sandbox policies, enable malicious plugins, modify TLS/authentication settings, alter SSRF protections, reconfigure MCP servers, and weaken filesystem hardening-effectively bypassing operator-enforced security boundaries. Vendor-released patch available in version 2026.4.20. No evidence of active exploitation; EPSS data not available for this recently disclosed vulnerability.

Authentication Bypass SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Server-side request forgery in OpenClaw before version 2026.4.20 allows authenticated attackers to bypass strict-mode SSRF policy checks during browser CDP profile creation by storing profiles pointing to private-network or metadata endpoints, which are later probed during normal profile status operations. The vulnerability affects only strict-mode deployments that explicitly restrict private-network CDP targets; default configurations allow private-network endpoints and are not vulnerable. Vendor-released patch: 2026.4.20.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before version 2026.4.20 fails to preserve untrusted labels on webhook-triggered cron agent output, allowing events to be recorded as trusted system events instead of untrusted events. This trust-labeling issue can strengthen prompt-injection attacks by rendering attacker-controlled webhook data as legitimate system events, though it does not directly bypass authentication, tool policy, or sandboxing controls.

Code Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.4.20 allows authenticated local agents to bypass tool policy restrictions by appending bundled MCP and LSP tools to the effective tool set after policy filtering has completed. Attackers with local agent access can circumvent profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies, potentially gaining unauthorized access to restricted tools. This vulnerability requires a configured bundled tool source and an operator-defined restrictive policy; no active exploitation has been identified.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before 2026.4.22 fails to propagate security envelope constraints when spawning ACP child sessions, allowing authenticated restricted subagents to bypass depth limits, child-count restrictions, control scope, and target-agent constraints. An attacker with subagent privileges can exploit this by spawning child sessions that inherit insufficient security enforcement, potentially escalating privileges or accessing resources beyond their assigned scope.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw before version 2026.4.15 allows arbitrary local file read via the webchat audio embedding helper, which fails to enforce local media root containment checks. Attackers who can influence agent or tool-produced ReplyPayload.mediaUrl parameters can resolve absolute local paths or file:// URLs, read audio-like files, and embed them base64-encoded into webchat responses. The vulnerability is narrow in scope-files must be readable by the gateway process, have audio-like extensions, and fit within the webchat audio size cap-but crosses the security boundary between model/tool output and host filesystem access. No public exploit code or active exploitation has been identified, though the vulnerability is confirmed by vendor advisory.

Path Traversal Openclaw
NVD GitHub
Page 1 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy