Openclaw
Monthly
Arbitrary JavaScript execution in OpenClaw versions prior to 2026.2.14 results from improper path validation in the hook transform module loader, allowing attackers with configuration write access to load malicious modules with gateway process privileges. The vulnerability affects the hooks.mappings[].transform.module parameter, which fails to restrict absolute paths and directory traversal sequences. A patch is available.
OpenClaw versions before 2026.2.14 allow unauthenticated attackers to execute privileged slash commands via direct message when the dmPolicy setting is configured to open, bypassing security controls like allowlists and access groups. This privilege escalation stems from improper authorization checks in the Slack slash-command handler that fails to validate direct message senders. A patch is available for affected users.
Windows cmd.exe metacharacter injection in OpenClaw before 2026.2.2. Bypass exec whitelist. Patch available.
Validation bypass in OpenClaw tools.exec.safeBins allows shell command execution through GNU long-option abbreviation. Attackers can abuse the 'sort' binary whitelist entry to execute arbitrary commands via abbreviated flags. CVSS 9.9.
OpenClaw versions 2026.2.17 and earlier fail to enforce payload size limits in the ACP bridge, allowing local clients to trigger denial of service through excessively large prompt inputs that consume system resources. This vulnerability primarily impacts IDE integrations and other local ACP clients that may inadvertently send oversized text blocks. The issue has been patched in version 2026.2.19.
OpenClaw versions 2026.2.17 and earlier allow unauthenticated remote attackers to access internal and metadata endpoints through unprotected cron webhook delivery mechanisms that lack SSRF validation. An attacker can exploit this to reach private services and endpoints that should be restricted, potentially leading to information disclosure or lateral movement within the infrastructure. A patch is available in version 2026.2.19.
OpenClaw AI assistant on macOS versions 2026.2.13 and earlier is vulnerable to command injection through the credential refresh mechanism, which improperly handles user-controlled OAuth tokens when constructing shell commands for Keychain operations. An authenticated attacker with local access could exploit this to execute arbitrary OS commands with the privileges of the application user. The vulnerability has been patched in version 2026.2.14.
OpenClaw CLI versions 2026.2.13 and earlier terminate processes based on command-line pattern matching without verifying process ownership, allowing unrelated processes to be killed on shared hosts. An attacker or unprivileged user on a multi-tenant system could leverage this to disrupt services or cause denial of service by triggering process cleanup routines that match their target applications. The vulnerability has been patched in version 2026.2.14.
Openclaw contains a vulnerability that allows attackers to potential unintentional disclosure of local files from the packaging machine int (CVSS 4.4).
Unauthorized Discord moderation actions in OpenClaw versions 2026.2.17 and below allow non-admin users to execute timeouts, kicks, and bans by spoofing sender identity parameters in tool-driven requests. The vulnerability affects deployments where Discord moderation is enabled and the bot has necessary guild permissions, enabling privilege escalation through identity manipulation. A patch is available in version 2026.2.18.
OpenClaw versions prior to 2026.2.15 contain a stored XSS vulnerability in the Control UI where unsanitized assistant identity values (name/avatar) are injected into inline script tags, allowing authenticated attackers with high privileges to break out of the script context and execute arbitrary JavaScript. Public exploit code exists for this vulnerability. The issue has been remediated in version 2026.2.15 through removal of inline scripts and implementation of a restrictive Content Security Policy.
OpenClaw versions prior to 2026.2.15 allow authenticated administrators to write files outside the skill installation directory due to insufficient validation of the targetDir parameter during skill installation. An admin user could exploit this path traversal vulnerability to place malicious files in arbitrary locations on the system. A patch is available in version 2026.2.15 and later.
OpenClaw AI assistant versions prior to 2026.2.15 allow local authenticated users to access session transcripts across peer accounts in multi-user shared-agent deployments due to insufficient session targeting restrictions. Additionally, Telegram webhook mode may fail to properly validate per-account secrets, potentially allowing unauthorized webhook access. The vulnerability primarily impacts multi-user environments with untrusted peers, while single-user or trusted deployments face limited practical risk.
OpenClaw versions prior to 2026.2.15 expose Telegram bot tokens in error messages and logs without redaction, allowing attackers who gain access to these logs to impersonate the bot and hijack its API access. This credential disclosure affects users of the AI assistant across systems where logs, crash reports, or support bundles are generated. Users must upgrade to version 2026.2.15 and rotate exposed Telegram bot tokens immediately.
Configuration injection in OpenClaw Docker sandbox before 2026.2.15 allows escaping sandbox restrictions. Patch available.
OpenClaw versions prior to 2026.2.15 fail to sanitize workspace directory paths before injecting them into LLM prompts, allowing local attackers with execution privileges to inject malicious instructions through control characters and Unicode markers in directory names. An attacker can exploit this prompt injection vulnerability to manipulate the AI assistant's behavior and execute unintended commands. A patch is available in version 2026.2.15 and later.
OpenClaw versions 2026.1.12 through 2026.2.13 contain a path traversal vulnerability in the browser download helper that allows authenticated users with CLI access or valid gateway RPC tokens to write files outside the intended temporary downloads directory. An attacker with these credentials can exploit unsanitized output paths to place arbitrary files on the system. Version 2026.2.13 and later contain the fix.
OpenClaw versions prior to 2026.2.14 allow authenticated users to read arbitrary files from the Gateway host through path traversal in the browser tool's upload functionality. An attacker with valid Gateway credentials and browser tool permissions can supply absolute or traversal paths to bypass file access restrictions and access sensitive files. This vulnerability requires authentication and browser tool enablement but presents a high confidentiality risk to affected deployments.
OpenClaw versions prior to 2026.2.14 allow authenticated users to bypass group authorization policies by leveraging direct message trust credentials in group contexts, enabling unauthorized access to restricted group conversations. An attacker with valid credentials could exploit improper policy enforcement in iMessage groupPolicy=allowlist configurations to gain unauthorized visibility into protected group communications. A patch is available in version 2026.2.14 and later.
OpenClaw's mDNS/Bonjour discovery beacons transmit unauthenticated TXT records that iOS, macOS, and Android clients treat as authoritative for routing and TLS certificate pinning, allowing an attacker on a shared LAN to advertise a rogue service and redirect connections to attacker-controlled endpoints. An attacker can exploit this to bypass TLS pinning validation and potentially capture Gateway credentials through man-in-the-middle attacks. The vulnerability affects OpenClaw versions prior to 2026.2.14 and requires network proximity but no user interaction.
OpenClaw versions prior to 2026.2.14 expose sensitive configuration secrets through the skills.status endpoint to clients with operator.read privileges, allowing authenticated attackers to retrieve raw credential values including Discord tokens. The vulnerability affects AI/ML deployments where read-scoped access is intended to be non-sensitive; affected users should upgrade to version 2026.2.14 or later and rotate any exposed Discord tokens.
OpenClaw versions before 2026.2.14 allow attackers with execution privileges to bypass command allowlist controls on node host deployments by exploiting a mismatch between validated and executed commands, potentially enabling execution of unapproved system commands. The vulnerability only affects configurations using node host execution paths with allowlist-based security policies and approval prompting. A patch is available in version 2026.2.14 which enforces consistency validation.
OpenClaw prior to version 2026.2.14 fails to properly validate IPv6-formatted addresses in its SSRF protection, allowing attackers to bypass restrictions and access loopback and private network resources that should be blocked. An unauthenticated remote attacker can exploit this by crafting requests using IPv4-mapped IPv6 literals to reach restricted endpoints. The vulnerability has been patched in version 2026.2.14.
Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.
OpenClaw versions prior to 2026.2.14 fail to validate the gatewayUrl parameter in the Gateway tool, allowing authenticated users or operators to redirect WebSocket connections to arbitrary targets and potentially access internal resources. This vulnerability requires authentication and the ability to invoke specific tool calls, limiting exposure to trusted users and automated systems rather than anonymous attackers. An attacker with these privileges could establish unauthorized outbound connections from the OpenClaw host, compromising confidentiality and potentially enabling further network-based attacks.
OpenClaw's Feishu extension prior to version 2026.2.14 improperly handles `mediaUrl` parameters by treating attacker-controlled values as local filesystem paths, enabling unauthorized file read access. An attacker who can influence tool calls through direct manipulation or prompt injection could exfiltrate sensitive files like `/etc/passwd`. This high-severity path traversal vulnerability (CWE-22) is resolved in version 2026.2.14 and later, which implements proper access controls and routes media loading through hardened helpers.
OpenClaw macOS desktop client versions 2026.2.6 through 2026.2.13 fail to fully display message content in confirmation dialogs for deep links, allowing attackers to hide malicious payloads behind whitespace that users cannot see before execution. When a user approves the truncated preview and clicks "Run," the full hidden message executes, potentially leading to arbitrary command execution depending on the user's configured permissions. This affects beta versions of the OpenClaw AI assistant on macOS where the openclaw:// URL scheme is registered without proper authentication.
OpenClaw's Telnyx voice-call webhook handler fails to validate webhook signatures when the public key is not configured, allowing unauthenticated attackers to forge arbitrary Telnyx events. This affects only deployments with the Voice Call plugin installed, enabled, and publicly accessible, enabling attackers to inject malicious voice-call events into the system. A patch is available.
OpenClaw versions prior to 2026.2.14 lack proper Cross-Origin Request Forgery (CSRF) protections on localhost mutation endpoints, allowing malicious websites to trigger unauthorized actions against a victim's local AI assistant instance such as opening tabs, modifying storage, or controlling browser functions. The vulnerability affects the browser control plane through cross-origin requests initiated from the victim's browser context, despite the service's loopback binding. Version 2026.2.14 and later mitigate this by validating Origin/Referer headers and rejecting mutating requests from cross-site origins.
OpenClaw is a personal AI assistant. [CVSS 7.5 HIGH]
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSecret` is not configured, allowing attackers with network access to the webhook endpoint to forge Telegram messages and trigger unintended bot actions. Public exploit code exists for this vulnerability. Affected deployments must upgrade to version 2026.2.1 or later, or ensure the webhook endpoint is not reachable by untrusted networks.
OpenClaw prior to version 2026.1.20 allows local unauthenticated attackers to execute arbitrary commands as the gateway user by exploiting the WebSocket API to inject malicious command paths through the config.apply function. The vulnerability stems from insufficient validation of the cliPath parameter, which is subsequently used for command discovery without proper sanitization. No patch is currently available for affected versions.
OpenClaw versions prior to 2026.1.30 suffer from a path traversal vulnerability in the isValidMedia() function that permits authenticated agents to read arbitrary files on the system by crafting malicious MEDIA output directives. An attacker with agent access can leverage this flaw to exfiltrate sensitive data accessible to the application process. Public exploit code exists for this vulnerability, and no patch is currently available.
OpenClaw AI assistant versions prior to 2026.1.29 contain two command injection vulnerabilities: unescaped user input in SSH project paths allows remote code execution on SSH hosts, and insufficient validation of SSH target parameters enables local command execution through malicious flag injection. An attacker can exploit these flaws to achieve arbitrary code execution either remotely via SSH or locally on the system running OpenClaw.
Command injection in OpenClaw's Docker sandbox execution allows authenticated users to manipulate the PATH environment variable and execute arbitrary commands within containers prior to version 2026.1.29. An attacker with valid credentials and ability to control environment variables could achieve code execution within the containerized AI assistant. A patch is available in version 2026.1.29 and later.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs extracted from query strings, transmitting authentication tokens without user confirmation. This network-based vulnerability requires user interaction (clicking a malicious link) and allows attackers to hijack authenticated sessions and perform actions with the victim's privileges. Public exploit code exists for this high-severity flaw with no patch currently available.
Arbitrary JavaScript execution in OpenClaw versions prior to 2026.2.14 results from improper path validation in the hook transform module loader, allowing attackers with configuration write access to load malicious modules with gateway process privileges. The vulnerability affects the hooks.mappings[].transform.module parameter, which fails to restrict absolute paths and directory traversal sequences. A patch is available.
OpenClaw versions before 2026.2.14 allow unauthenticated attackers to execute privileged slash commands via direct message when the dmPolicy setting is configured to open, bypassing security controls like allowlists and access groups. This privilege escalation stems from improper authorization checks in the Slack slash-command handler that fails to validate direct message senders. A patch is available for affected users.
Windows cmd.exe metacharacter injection in OpenClaw before 2026.2.2. Bypass exec whitelist. Patch available.
Validation bypass in OpenClaw tools.exec.safeBins allows shell command execution through GNU long-option abbreviation. Attackers can abuse the 'sort' binary whitelist entry to execute arbitrary commands via abbreviated flags. CVSS 9.9.
OpenClaw versions 2026.2.17 and earlier fail to enforce payload size limits in the ACP bridge, allowing local clients to trigger denial of service through excessively large prompt inputs that consume system resources. This vulnerability primarily impacts IDE integrations and other local ACP clients that may inadvertently send oversized text blocks. The issue has been patched in version 2026.2.19.
OpenClaw versions 2026.2.17 and earlier allow unauthenticated remote attackers to access internal and metadata endpoints through unprotected cron webhook delivery mechanisms that lack SSRF validation. An attacker can exploit this to reach private services and endpoints that should be restricted, potentially leading to information disclosure or lateral movement within the infrastructure. A patch is available in version 2026.2.19.
OpenClaw AI assistant on macOS versions 2026.2.13 and earlier is vulnerable to command injection through the credential refresh mechanism, which improperly handles user-controlled OAuth tokens when constructing shell commands for Keychain operations. An authenticated attacker with local access could exploit this to execute arbitrary OS commands with the privileges of the application user. The vulnerability has been patched in version 2026.2.14.
OpenClaw CLI versions 2026.2.13 and earlier terminate processes based on command-line pattern matching without verifying process ownership, allowing unrelated processes to be killed on shared hosts. An attacker or unprivileged user on a multi-tenant system could leverage this to disrupt services or cause denial of service by triggering process cleanup routines that match their target applications. The vulnerability has been patched in version 2026.2.14.
Openclaw contains a vulnerability that allows attackers to potential unintentional disclosure of local files from the packaging machine int (CVSS 4.4).
Unauthorized Discord moderation actions in OpenClaw versions 2026.2.17 and below allow non-admin users to execute timeouts, kicks, and bans by spoofing sender identity parameters in tool-driven requests. The vulnerability affects deployments where Discord moderation is enabled and the bot has necessary guild permissions, enabling privilege escalation through identity manipulation. A patch is available in version 2026.2.18.
OpenClaw versions prior to 2026.2.15 contain a stored XSS vulnerability in the Control UI where unsanitized assistant identity values (name/avatar) are injected into inline script tags, allowing authenticated attackers with high privileges to break out of the script context and execute arbitrary JavaScript. Public exploit code exists for this vulnerability. The issue has been remediated in version 2026.2.15 through removal of inline scripts and implementation of a restrictive Content Security Policy.
OpenClaw versions prior to 2026.2.15 allow authenticated administrators to write files outside the skill installation directory due to insufficient validation of the targetDir parameter during skill installation. An admin user could exploit this path traversal vulnerability to place malicious files in arbitrary locations on the system. A patch is available in version 2026.2.15 and later.
OpenClaw AI assistant versions prior to 2026.2.15 allow local authenticated users to access session transcripts across peer accounts in multi-user shared-agent deployments due to insufficient session targeting restrictions. Additionally, Telegram webhook mode may fail to properly validate per-account secrets, potentially allowing unauthorized webhook access. The vulnerability primarily impacts multi-user environments with untrusted peers, while single-user or trusted deployments face limited practical risk.
OpenClaw versions prior to 2026.2.15 expose Telegram bot tokens in error messages and logs without redaction, allowing attackers who gain access to these logs to impersonate the bot and hijack its API access. This credential disclosure affects users of the AI assistant across systems where logs, crash reports, or support bundles are generated. Users must upgrade to version 2026.2.15 and rotate exposed Telegram bot tokens immediately.
Configuration injection in OpenClaw Docker sandbox before 2026.2.15 allows escaping sandbox restrictions. Patch available.
OpenClaw versions prior to 2026.2.15 fail to sanitize workspace directory paths before injecting them into LLM prompts, allowing local attackers with execution privileges to inject malicious instructions through control characters and Unicode markers in directory names. An attacker can exploit this prompt injection vulnerability to manipulate the AI assistant's behavior and execute unintended commands. A patch is available in version 2026.2.15 and later.
OpenClaw versions 2026.1.12 through 2026.2.13 contain a path traversal vulnerability in the browser download helper that allows authenticated users with CLI access or valid gateway RPC tokens to write files outside the intended temporary downloads directory. An attacker with these credentials can exploit unsanitized output paths to place arbitrary files on the system. Version 2026.2.13 and later contain the fix.
OpenClaw versions prior to 2026.2.14 allow authenticated users to read arbitrary files from the Gateway host through path traversal in the browser tool's upload functionality. An attacker with valid Gateway credentials and browser tool permissions can supply absolute or traversal paths to bypass file access restrictions and access sensitive files. This vulnerability requires authentication and browser tool enablement but presents a high confidentiality risk to affected deployments.
OpenClaw versions prior to 2026.2.14 allow authenticated users to bypass group authorization policies by leveraging direct message trust credentials in group contexts, enabling unauthorized access to restricted group conversations. An attacker with valid credentials could exploit improper policy enforcement in iMessage groupPolicy=allowlist configurations to gain unauthorized visibility into protected group communications. A patch is available in version 2026.2.14 and later.
OpenClaw's mDNS/Bonjour discovery beacons transmit unauthenticated TXT records that iOS, macOS, and Android clients treat as authoritative for routing and TLS certificate pinning, allowing an attacker on a shared LAN to advertise a rogue service and redirect connections to attacker-controlled endpoints. An attacker can exploit this to bypass TLS pinning validation and potentially capture Gateway credentials through man-in-the-middle attacks. The vulnerability affects OpenClaw versions prior to 2026.2.14 and requires network proximity but no user interaction.
OpenClaw versions prior to 2026.2.14 expose sensitive configuration secrets through the skills.status endpoint to clients with operator.read privileges, allowing authenticated attackers to retrieve raw credential values including Discord tokens. The vulnerability affects AI/ML deployments where read-scoped access is intended to be non-sensitive; affected users should upgrade to version 2026.2.14 or later and rotate any exposed Discord tokens.
OpenClaw versions before 2026.2.14 allow attackers with execution privileges to bypass command allowlist controls on node host deployments by exploiting a mismatch between validated and executed commands, potentially enabling execution of unapproved system commands. The vulnerability only affects configurations using node host execution paths with allowlist-based security policies and approval prompting. A patch is available in version 2026.2.14 which enforces consistency validation.
OpenClaw prior to version 2026.2.14 fails to properly validate IPv6-formatted addresses in its SSRF protection, allowing attackers to bypass restrictions and access loopback and private network resources that should be blocked. An unauthenticated remote attacker can exploit this by crafting requests using IPv4-mapped IPv6 literals to reach restricted endpoints. The vulnerability has been patched in version 2026.2.14.
Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.
OpenClaw versions prior to 2026.2.14 fail to validate the gatewayUrl parameter in the Gateway tool, allowing authenticated users or operators to redirect WebSocket connections to arbitrary targets and potentially access internal resources. This vulnerability requires authentication and the ability to invoke specific tool calls, limiting exposure to trusted users and automated systems rather than anonymous attackers. An attacker with these privileges could establish unauthorized outbound connections from the OpenClaw host, compromising confidentiality and potentially enabling further network-based attacks.
OpenClaw's Feishu extension prior to version 2026.2.14 improperly handles `mediaUrl` parameters by treating attacker-controlled values as local filesystem paths, enabling unauthorized file read access. An attacker who can influence tool calls through direct manipulation or prompt injection could exfiltrate sensitive files like `/etc/passwd`. This high-severity path traversal vulnerability (CWE-22) is resolved in version 2026.2.14 and later, which implements proper access controls and routes media loading through hardened helpers.
OpenClaw macOS desktop client versions 2026.2.6 through 2026.2.13 fail to fully display message content in confirmation dialogs for deep links, allowing attackers to hide malicious payloads behind whitespace that users cannot see before execution. When a user approves the truncated preview and clicks "Run," the full hidden message executes, potentially leading to arbitrary command execution depending on the user's configured permissions. This affects beta versions of the OpenClaw AI assistant on macOS where the openclaw:// URL scheme is registered without proper authentication.
OpenClaw's Telnyx voice-call webhook handler fails to validate webhook signatures when the public key is not configured, allowing unauthenticated attackers to forge arbitrary Telnyx events. This affects only deployments with the Voice Call plugin installed, enabled, and publicly accessible, enabling attackers to inject malicious voice-call events into the system. A patch is available.
OpenClaw versions prior to 2026.2.14 lack proper Cross-Origin Request Forgery (CSRF) protections on localhost mutation endpoints, allowing malicious websites to trigger unauthorized actions against a victim's local AI assistant instance such as opening tabs, modifying storage, or controlling browser functions. The vulnerability affects the browser control plane through cross-origin requests initiated from the victim's browser context, despite the service's loopback binding. Version 2026.2.14 and later mitigate this by validating Origin/Referer headers and rejecting mutating requests from cross-site origins.
OpenClaw is a personal AI assistant. [CVSS 7.5 HIGH]
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSecret` is not configured, allowing attackers with network access to the webhook endpoint to forge Telegram messages and trigger unintended bot actions. Public exploit code exists for this vulnerability. Affected deployments must upgrade to version 2026.2.1 or later, or ensure the webhook endpoint is not reachable by untrusted networks.
OpenClaw prior to version 2026.1.20 allows local unauthenticated attackers to execute arbitrary commands as the gateway user by exploiting the WebSocket API to inject malicious command paths through the config.apply function. The vulnerability stems from insufficient validation of the cliPath parameter, which is subsequently used for command discovery without proper sanitization. No patch is currently available for affected versions.
OpenClaw versions prior to 2026.1.30 suffer from a path traversal vulnerability in the isValidMedia() function that permits authenticated agents to read arbitrary files on the system by crafting malicious MEDIA output directives. An attacker with agent access can leverage this flaw to exfiltrate sensitive data accessible to the application process. Public exploit code exists for this vulnerability, and no patch is currently available.
OpenClaw AI assistant versions prior to 2026.1.29 contain two command injection vulnerabilities: unescaped user input in SSH project paths allows remote code execution on SSH hosts, and insufficient validation of SSH target parameters enables local command execution through malicious flag injection. An attacker can exploit these flaws to achieve arbitrary code execution either remotely via SSH or locally on the system running OpenClaw.
Command injection in OpenClaw's Docker sandbox execution allows authenticated users to manipulate the PATH environment variable and execute arbitrary commands within containers prior to version 2026.1.29. An attacker with valid credentials and ability to control environment variables could achieve code execution within the containerized AI assistant. A patch is available in version 2026.1.29 and later.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs extracted from query strings, transmitting authentication tokens without user confirmation. This network-based vulnerability requires user interaction (clicking a malicious link) and allows attackers to hijack authenticated sessions and perform actions with the victim's privileges. Public exploit code exists for this high-severity flaw with no patch currently available.