Openclaw
Monthly
OpenClaw before version 2026.3.31 allows authenticated attackers to bypass authorization controls on Discord voice channels through exploitation of stale-role validation gaps and improper channel name validation, enabling unauthorized access to restricted voice channels that should be protected by member and channel allowlists. The vulnerability requires valid Discord credentials but enables privilege escalation within voice channel access controls. No public exploit code has been identified at the time of analysis.
OpenClaw before version 2026.3.31 contains an access control bypass in its Discord voice manager that allows authenticated attackers to send voice ingress requests before channel allowlist authorization checks are enforced, gaining unauthorized access to restricted voice channels. The vulnerability exploits a race condition or authorization sequencing flaw in the voice channel access control mechanism, affecting deployments with member-level access restrictions.
Execution approval bypass in OpenClaw before 2026.3.28 allows local authenticated users with standard privileges to establish overly broad executable allowlist entries through wrapper carrier exploitation. Attackers leverage positional routing in dispatch wrappers to trust carrier executables instead of their invoked targets, escalating from limited execution approval to arbitrary code execution with high confidentiality and integrity impact. Vendor-released patch version 2026.3.28 addresses the flaw (GHSA-p4x4-2r7f-wjxg). No evidence of active exploitation or public POC identified at time of analysis.
Privilege escalation in OpenClaw versions prior to 2026.3.28 enables authenticated operators with write permissions to modify administrator-only voice configuration settings through the chat.send endpoint. This vulnerability allows low-privileged operator accounts to manipulate sensitive Talk Voice configuration persistence, bypassing intended role-based access controls. A vendor-released patch is available via commit e34694733fc64931ed4a543c73d84ad3435d5df1. EPSS data unavailable; no CISA KEV listing or public exploit code identified at time of analysis, though the targeted nature (authenticated internal operators) suggests lower mass-exploitation risk than the CVSS 7.1 score might imply.
Remote code execution in OpenClaw gateway versions before 2026.3.31 allows attackers with trusted paired node credentials (role=node) to escalate privileges and execute arbitrary code on the gateway by abusing unrestricted agent.request dispatch functionality. The vulnerability stems from insufficient access controls on node.event agent requests, enabling low-privilege paired nodes to invoke gateway-side tools without restriction. EPSS exploitation probability and KEV status not yet available for this recently disclosed vulnerability, but a vendor patch and exploit details are publicly documented.
OpenClaw before version 2026.3.31 fails to block plugin installation when security scans detect threats, allowing authenticated users to install malicious plugins by ignoring visible scan warnings. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but enables installation of untrusted code with moderate integrity impact when exploited.
OpenClaw before version 2026.3.31 fails to properly validate message senders in Matrix thread root and reply context handling, allowing remote unauthenticated attackers to bypass sender allowlists and access filtered messages. The vulnerability requires user interaction and has low attack complexity, but impact is limited to information disclosure of message context that should have been restricted by access controls.
Authorization bypass in OpenClaw phone channel endpoints allows authenticated low-privilege users to arm or disarm phone-based alarm channels without required administrative rights. Versions prior to 2026.3.28 fail to validate operator.admin scope for /phone arm and /phone disarm API endpoints when accessed through external channels (CWE-863). Patch released via GitHub commit aa66ae1fc, with CVSS 7.1 reflecting network-accessible integrity impact requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV); exploit development straightforward given simple API authorization flaw.
OpenClaw before version 2026.3.31 performs Discord audio preflight transcription without validating member authorization, allowing unauthenticated remote attackers to trigger resource-intensive audio processing and cause denial of service through resource exhaustion.
OpenClaw before 2026.3.31 allows authenticated users with approved host-exec requests to execute arbitrary code during build processes by overriding compiler binary environment variables (CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER) through an incomplete host-env-security-policy.json configuration. The vulnerability requires local access and prior authentication to an OpenClaw instance, but enables full code execution with inherited privileges during compilation. No public exploit code has been identified at time of analysis.
OpenClaw before version 2026.4.2 fails to normalize trailing-dot localhost hostnames in Chrome DevTools Protocol (CDP) discovery responses, allowing attackers to bypass loopback address protections. An unauthenticated remote attacker can craft malicious CDP discovery responses that return 'localhost.' (with trailing dot) instead of the standard 'localhost', causing the browser control mechanism to treat it as a different hostname and redirect authenticated browser sessions to attacker-controlled endpoints, potentially exposing sensitive browser state and authentication tokens.
Privilege escalation in OpenClaw chat.send API allows low-privileged gateway callers with write scope to execute admin-only session management operations. Attackers can forcibly reset user sessions, rotate session IDs, and archive chat transcripts without admin authorization by exploiting broken access control in the chat messaging path. This enables session hijacking and data manipulation attacks against legitimate users. Reported by VulnCheck disclosure team with vendor security advisory published; no public exploit or active exploitation confirmed at time of analysis.
Path traversal in OpenClaw's ACP dispatch mechanism allows authenticated remote attackers to read arbitrary files outside intended directories by manipulating inbound channel attachment paths. Attackers can bypass both attachment-cache and root directory security checks to access sensitive system files. Upstream fix available via GitHub commit 566fb73d9d, with versions prior to 2026.3.31 confirmed vulnerable. No CISA KEV listing at time of analysis, indicating targeted rather than widespread exploitation.
Environment variable disclosure in OpenClaw jq safe-bin policy allows authenticated remote attackers to extract sensitive credentials and configuration data. The vulnerability stems from incomplete filter blocking in jq program execution - specifically, the $ENV filter can bypass safe-bin restrictions to read process environment variables. Versions prior to 2026.3.28 are affected. No CISA KEV listing or public POC identified at time of analysis, but disclosure by VulnCheck indicates vendor-confirmed issue with available patch.
OpenClaw versions 2026.2.14 through 2026.3.24 fail to enforce guild and channel policy gates on Discord button and component interactions, allowing authenticated users to trigger privileged component actions from contexts where those actions should be blocked. The vulnerability bypasses channel policy enforcement via policy gate inconsistency, enabling privilege escalation within Discord servers where OpenClaw is deployed.
OpenClaw before version 2026.3.31 allows authenticated attackers to read arbitrary host files through improper validation in the appendLocalMediaParentRoots function, enabling exfiltration of credentials and sensitive data. The vulnerability permits model-initiated file access by exploiting a self-whitelisting mechanism that fails to properly validate media parent directory paths. Authentication is required, but the flaw affects confidentiality with a CVSS score of 6.0.
OpenClaw before version 2026.3.31 allows authenticated remote attackers to bypass sender allowlist filters when retrieving MS Teams thread history via Microsoft Graph API, enabling access to messages that should be restricted by security policies. The vulnerability affects organizations using OpenClaw's Teams integration and has been patched as of the specified version.
Remote authenticated attackers can overwrite arbitrary files on OpenClaw servers by uploading malicious tar archives containing symbolic links to the SSH sandbox feature. The vulnerability allows escaping sandbox restrictions to modify critical system files, enabling potential remote code execution or denial of service. Affects OpenClaw versions before 2026.3.31. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE.
OpenClaw versions 2026.2.6 through 2026.3.24 allow authenticated remote attackers to read arbitrary files outside configured sandbox boundaries via path traversal in the Feishu extension's resolveUploadInput function during upload_image operations. The vulnerability bypasses file-system sandbox restrictions through improper path resolution, enabling confidentiality compromise of sensitive data accessible to the application process.
OpenClaw versions 2026.2.19 before 2026.3.31 allow authenticated attackers to suppress legitimate webhook events across different accounts in multi-tenant deployments by exploiting improper cache isolation in the Zalo webhook replay-deduplication mechanism. An attacker with control of one authenticated Zalo webhook path can match event_name and message_id parameters to suppress events on victim accounts, causing denial of service to webhook processing. No public exploit code or active exploitation has been identified, though the vulnerability requires valid authentication and incremental exploitation (AT:P), limiting immediate risk.
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script contents.
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.
OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive environment variables from parent processes to SSH child processes.
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks.
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows across chat sessions.
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime to access restricted profiles and bypass intended access controls.
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature verification.
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox constraints to bypass session-policy controls and access restricted session information.
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted group DM channels.
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints.
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.
OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting malicious cross-origin redirect chains to intercept sensitive authorization credentials intended for legitimate requests.
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.
OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gateway credentials or traffic.
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.
OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir operations to manipulate files between validation and execution.
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the replay process.
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and agent configurations.
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized images to cause denial of service through excessive memory consumption.
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files to execute untrusted code or load malicious credentials.
OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope.
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.
OpenClaw before version 2026.3.31 allows unauthenticated remote attackers to trigger resource-intensive audio transcription processing via Telegram without proper authorization, enabling denial-of-service through billing or infrastructure exhaustion. The vulnerability stems from insufficient allowlist enforcement that permits unauthorized group senders to initiate preflight transcription operations before authentication is validated, and no public exploit code has been identified at the time of analysis.
Sandbox bypass in OpenClaw (pre-2026.3.31) enables authenticated remote attackers to escalate privileges by manipulating heartbeat context inheritance and senderIsOwner parameters. Exploitation requires low attack complexity with present attack technique capability, achieving complete compromise of confidentiality, integrity, and availability across vulnerable and subsequent system scope. No active exploitation confirmed (not in CISA KEV), but VulnCheck disclosure indicates researcher-identified vulnerability with public GitHub commit and security advisory available.
Authorization bypass in OpenClaw before 2026.3.28 allows authenticated Discord users to approve pending host execution requests without proper privileges. Attackers with low-privileged Discord accounts can bypass the execApprovals.approvers allowlist by sending crafted Discord text commands, gaining unauthorized approval authority for exec requests. EPSS score is relatively low (0.06%, 18th percentile), and no active exploitation is confirmed, but the vulnerability enables complete compromise of the execution approval workflow with low attack complexity.
OpenClaw before version 2026.3.31 contains a server-side request forgery (SSRF) vulnerability in the marketplace plugin download functionality, where unguarded fetch() calls allow authenticated users with user interaction to make arbitrary network requests on behalf of the affected system. Remote attackers can access internal resources or interact with external services, potentially disclosing sensitive data or compromising internal infrastructure; no public exploit code or active exploitation has been identified at time of analysis.
OpenClaw before version 2026.3.31 fails to properly invalidate attacker-discovered endpoints during trust decline operations in remote onboarding workflows, allowing attackers to route gateway credentials to malicious endpoints by preserving their URLs through the trust decline process into manual operator acceptance prompts. The vulnerability requires user interaction (UI:A) but affects gateway credential confidentiality (VC:H), posing a significant risk to organizations using OpenClaw's remote onboarding feature with CVSS 6.9 (medium-high severity).
Authorization bypass in OpenClaw's chat.send gateway allows authenticated operator clients to spoof ACP (Access Control Provider) identity labels and inject reserved provenance metadata by manipulating WebSocket handshake client metadata. Attackers with low-privilege operator credentials can bypass intended privilege boundaries to impersonate the ACP bridge, achieving high integrity impact through unauthorized modification of chat message provenance. EPSS probability is low (0.05%, 15th percentile) and CISA SSVC indicates no active exploitation, non-automatable attacks, and partial technical impact. Vendor patch available as of version 2026.3.28.
OpenClaw before version 2026.4.2 fails to enforce write-scope authorization on the POST /sessions/:sessionKey/kill endpoint, allowing authenticated users with read-only credentials to terminate arbitrary subagent sessions. The vulnerability requires valid API credentials with read scope but does NOT require write permissions, enabling privilege escalation within identity-bearing authentication modes. No public exploit code has been identified, and this is not listed as actively exploited by CISA; however, the low CVSS score of 5.3 reflects the requirement for prior authentication rather than the ease of exploitation once credentials are obtained.
OpenClaw before version 2026.3.31 allows authenticated users to exploit server-side request forgery (SSRF) through unvalidated HTTP redirects in the marketplace plugin download functionality, enabling access to internal resources and potential information disclosure. The marketplace.ts module fails to validate redirect destinations during archive downloads, permitting remote attackers with valid credentials and user interaction to redirect requests to arbitrary internal or external servers. Real-world exploitation is limited by authentication and interaction requirements, keeping the baseline CVSS at 4.8 (medium), though impact depends on network exposure of internal services.
Remote filesystem bridge in OpenClaw (<2026.3.31) enables sandbox escape through a TOCTOU race condition in readFile validation. Authenticated remote attackers can exploit the timing gap between path validation and file read operations to bypass sandbox restrictions and access arbitrary files outside the intended security boundary, potentially compromising both confidentiality and integrity of the underlying system. EPSS score of 0.03% (7th percentile) suggests low probability of widespread exploitation despite CVSS 8.8 severity, though patch availability from vendor (commit 121870a) enables defenders to remediate proactively before active exploitation begins.
Malicious workspace plugins in OpenClaw versions before 2026.4.2 achieve arbitrary code execution by shadowing built-in channel IDs during workspace clone and setup operations. The vulnerability exploits a trust boundary flaw (CWE-829) where untrusted plugins execute before explicit user trust confirmation, requiring only that a victim clone a poisoned workspace repository. With CVSS 8.5 (High) and local attack vector requiring user interaction, real-world risk is moderate: EPSS probability sits at 0.01% (2nd percentile) with no confirmed active exploitation (not in CISA KEV), and SSVC assessment classifies it as non-automatable with total technical impact but no current exploitation.
OpenClaw versions before 2026.3.28 allow local attackers to inject malicious environment variables by placing a .env file in the current working directory, which is loaded before trusted state-directory configuration during application startup. This enables attackers to override security-sensitive runtime settings without privileges, achieving high confidentiality, integrity, and availability impact with low complexity when a user launches OpenClaw from a compromised directory. Exploitation probability is minimal (EPSS 0.01%, percentile 2%) with no active exploitation confirmed (not in CISA KEV), but a public advisory from VulnCheck describes the attack mechanism, making exploitation straightforward for local threat actors.
OpenClaw before version 2026.4.2 transmits stored gateway credentials over unencrypted WebSocket (ws://) connections when accepting non-loopback endpoints, allowing adjacent network attackers with user interaction to forge discovery results or craft malicious setup codes that redirect clients to attacker-controlled endpoints and exfiltrate plaintext credentials. No public exploit code has been identified, but the vulnerability requires proximity to the target network and user interaction to trigger the credential disclosure.
OpenClaw Client exposes PKCE verifier and stored credentials through unencrypted OAuth authorization URL query strings, allowing remote attackers to disclose authentication data when users initiate OAuth flows. The vulnerability requires user interaction (target must start authorization), has a CVSS score of 5.3 (medium), and affects all versions of OpenClaw Client. No active exploitation has been publicly reported, though the ZDI designation (ZDI-CAN-29381) indicates coordinated disclosure.
Unauthenticated remote attackers bypass authentication in OpenClaw canvas endpoints due to improper authentication implementation (CWE-291). Exploitation requires no user interaction and yields high confidentiality/integrity impact. Network-accessible attack vector with high complexity (CVSS:3.0 7.4 AV:N/AC:H/PR:N). No public exploit identified at time of analysis. Originally reported as ZDI-CAN-29311.
Authenticated remote attackers can traverse the file system through the OpenClaw canvas gateway endpoint to disclose sensitive information due to insufficient path validation. The vulnerability affects OpenClaw across unspecified versions and requires valid user credentials; attackers operating with low-privilege accounts can read arbitrary files in the service account context. No public exploit code or active exploitation has been identified at the time of analysis.
OpenClaw before version 2026.3.22 allows authenticated attackers to redirect webhook-triggered chat replies to unintended users by exploiting username-based recipient binding instead of stable numeric identifiers. An attacker with valid credentials can manipulate username changes to rebind webhook replies intended for one user to a different user, compromising message confidentiality and integrity. No public exploit code or active CISA exploitation data is available, but the vulnerability is confirmed patched by the vendor.
Privilege escalation in OpenClaw gateway-authenticated plugin HTTP routes allows authenticated attackers to bypass scope restrictions and gain operator.admin privileges. The vulnerability affects OpenClaw versions prior to 2026.3.25, enabling low-privileged authenticated users to perform unauthorized administrative actions through improperly minted runtime scopes. Exploitation requires network access and low-level authentication but no user interaction. No public exploit identified at time of analysis.
Path traversal in OpenClaw before 2026.3.24 allows authenticated sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameters. Incomplete validation in normalizeSandboxMediaParams and missing mediaLocalRoots context enables attackers to bypass sandbox boundaries and access sensitive data including API keys and configuration files outside designated roots. This cross-agent data leakage vulnerability requires low-privilege authentication but no user interaction. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.24 permits authenticated local attackers to trigger improper process termination via the !stop chat command, which uses an unpatched killProcessTree function that sends SIGKILL without graceful SIGTERM shutdown. This incomplete fix for CVE-2026-27486 enables attackers to corrupt data, leak resources, and skip security-sensitive cleanup operations, resulting in integrity compromise and denial of service.
Allowlist bypass in OpenClaw before 2026.3.22 permits authenticated attackers to execute arbitrary commands by wrapping disallowed executables with /usr/bin/time. The vulnerability exploits incomplete validation in system.run approvals, which fail to detect time wrapper prefixes, allowing reuse of approval state for inner prohibited commands. Remote exploitation requires low-privilege authentication (PR:L) with network access, enabling full system compromise through command injection. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.24 allows unauthenticated remote denial of service via the Feishu webhook handler, which accepts request bodies up to 1MB with a 30-second timeout before verifying the request signature. An attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests, blocking legitimate webhook deliveries and degrading service availability. This is an incomplete remediation of the earlier CVE-2026-32011.
OpenClaw before version 2026.3.25 contains an authentication bypass vulnerability in the raw card send surface that allows unauthenticated remote attackers to send malformed card commands, bypassing DM pairing restrictions and reaching callback handlers without proper authorization. This enables unpaired recipients to mint legacy callback payloads, resulting in integrity compromise of the messaging protocol. No public exploit code or active exploitation has been confirmed, but the low attack complexity and network accessibility make this a practical vulnerability.
Privilege escalation in OpenClaw versions prior to 2026.3.25 allows authenticated low-privilege operators to bypass pairing requirements during backend reconnection, self-requesting elevated scopes to gain operator.admin privileges. Attackers with existing operator credentials exploit improper scope validation (CWE-648) to escalate from limited operator access to full administrative control over the OpenClaw system. Exploitation requires network access and low-privilege authentication (CVSS:3.1 PR:L), enabling high-impact compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing authenticated leaf subagents to bypass access control and message child sessions beyond their authorized scope. An authenticated attacker with subagent privileges can exploit this via the send action to communicate with restricted child sessions without proper validation, resulting in unauthorized inter-session message relay. No public exploit code has been identified, but the vulnerability has a moderate CVSS score of 4.3 reflecting the integrity impact and low attack complexity.
OpenClaw before 2026.3.25 allows remote attackers to bypass Telegram direct message pairing requirements and mutate session state through weaker callback-only authorization mechanisms. An unauthenticated attacker can craft malicious Telegram callback queries in direct messages to modify session state without satisfying the normal DM pairing security controls, resulting in unauthorized state modification with CVSS 5.3 (medium severity).
Insufficient access control in OpenClaw Gateway agent allows authenticated attackers with operator.write permission to reset admin sessions without operator.admin authorization. By invoking /reset or /new endpoints with explicit sessionKey parameters, attackers bypass privilege requirements and terminate arbitrary administrative sessions, achieving high-impact session hijacking. Affects OpenClaw versions prior to 2026.3.23. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.22 accepts unresolved Bonjour and DNS-SD service discovery metadata to influence CLI routing decisions, allowing attackers on adjacent networks to redirect traffic to attacker-controlled targets through malicious TXT records. The vulnerability requires user interaction and adjacent network access but can cause information disclosure and integrity compromise without authentication.
Filesystem boundary bypass in OpenClaw before 2026.3.2 allows authenticated attackers to read arbitrary files by traversing sandbox bridge mounts outside the configured workspace, circumventing the tools.fs.workspaceOnly restriction. The vulnerability affects the image tool specifically and results in unauthorized information disclosure accessible via network with low complexity.
OpenClaw before version 2026.3.25 allows authenticated attackers to bypass authorization checks on the /sessions/:sessionKey/history HTTP endpoint, enabling unauthorized access to session history data without requiring operator.read scope permissions. The vulnerability affects all OpenClaw versions prior to 2026.3.25 and requires valid authentication credentials to exploit; no public exploit code or active exploitation has been identified at time of analysis.
OpenClaw before version 2026.3.22 contains an authentication bypass vulnerability in X-Forwarded-For header processing when trustedProxies is configured, allowing unauthenticated remote attackers to spoof loopback client addresses and bypass canvas authentication and rate-limiting protections. The vulnerability exploits improper validation of forwarding headers to masquerade as local loopback connections, with a CVSS score of 6.5 reflecting moderate confidentiality and integrity impact but no direct availability impact.
OpenClaw before version 2026.3.22 allows authenticated remote attackers to spoof tool identities through rawInput parameters, bypassing ACP permission resolution and suppressing dangerous-tool prompting via identity hint conflicts between rawInput and metadata. This authentication bypass with high integrity impact affects all versions prior to the fixed release, enabling attackers to circumvent security restrictions intended to prevent execution of dangerous operations.
Incorrect authorization in OpenClaw pre-2026.3.24 allows authenticated users with operator.write access to browser.request capability to invoke POST /reset-profile endpoint, bypassing privilege restrictions to terminate running browsers, sever Playwright connections, and relocate profile directories to system Trash. Exploitation requires low-privilege authentication (CVSS PR:L) but achieves high integrity and availability impact through unauthorized state mutation and service disruption across intended security boundaries. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.22 suffers from an authorization bypass in its interactive callback dispatch mechanism that permits unauthenticated remote attackers to execute action handlers without sender allowlist validation. The vulnerability exploits a race condition or timing gap where callbacks are processed before security checks complete, enabling unauthorized state modification and availability impact. No public exploit code or active exploitation has been confirmed at time of analysis, but the low attack complexity and lack of authentication requirements make this a practical threat to exposed OpenClaw deployments.
OpenClaw versions 2026.2.13 through 2026.3.24 allow unauthenticated remote attackers to inject ANSI escape sequences into approval prompts and permission logs via malicious tool metadata, enabling spoofing of terminal output and manipulation of displayed information. The vulnerability requires user interaction (display of the approval prompt) and results in integrity impact only, with a CVSS score of 4.3. A vendor patch is available.
Remote code execution in OpenClaw versions prior to 2026.3.22 allows authenticated attackers to bypass shared host environment policy via inconsistent environment variable sanitization. Attackers exploit validation inconsistencies by supplying malformed or blocked override keys that evade filtering mechanisms, enabling arbitrary code execution with unauthorized environment variable configurations. Vulnerability requires low-privilege authentication and high attack complexity. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.22 allows unauthenticated remote attackers to bypass access control denials by exploiting improper handling of empty allowlists during settings reconciliation, silently restoring previously revoked permissions. The vulnerability treats explicitly empty allowlists as unset rather than as explicit deny-all configurations, enabling attackers to undo intended access revocations without authentication. With a CVSS score of 6.5 and network-accessible attack vector, this represents a moderate-severity logic flaw affecting access control enforcement.
OpenClaw before version 2026.3.22 allows policy bypass through unvalidated queued node actions, enabling attackers to execute unauthorized commands by exploiting stale allowlists or policy declarations that persist after policy changes. The vulnerability requires network access and high attack complexity but no authentication, resulting in integrity impact without exposing confidentiality or availability. No public exploit code or active exploitation has been confirmed.
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass direct message policy controls by sending verification notices to users outside configured allowed peer lists. The vulnerability stems from insufficient access validation checks applied to verification notice transmission, enabling attackers to contact users who have restricted direct messaging policies in place. CVSS score of 5.3 reflects moderate integrity impact with low attack complexity and no authentication requirements.
OpenClaw before version 2026.3.31 allows authenticated attackers to bypass authorization controls on Discord voice channels through exploitation of stale-role validation gaps and improper channel name validation, enabling unauthorized access to restricted voice channels that should be protected by member and channel allowlists. The vulnerability requires valid Discord credentials but enables privilege escalation within voice channel access controls. No public exploit code has been identified at the time of analysis.
OpenClaw before version 2026.3.31 contains an access control bypass in its Discord voice manager that allows authenticated attackers to send voice ingress requests before channel allowlist authorization checks are enforced, gaining unauthorized access to restricted voice channels. The vulnerability exploits a race condition or authorization sequencing flaw in the voice channel access control mechanism, affecting deployments with member-level access restrictions.
Execution approval bypass in OpenClaw before 2026.3.28 allows local authenticated users with standard privileges to establish overly broad executable allowlist entries through wrapper carrier exploitation. Attackers leverage positional routing in dispatch wrappers to trust carrier executables instead of their invoked targets, escalating from limited execution approval to arbitrary code execution with high confidentiality and integrity impact. Vendor-released patch version 2026.3.28 addresses the flaw (GHSA-p4x4-2r7f-wjxg). No evidence of active exploitation or public POC identified at time of analysis.
Privilege escalation in OpenClaw versions prior to 2026.3.28 enables authenticated operators with write permissions to modify administrator-only voice configuration settings through the chat.send endpoint. This vulnerability allows low-privileged operator accounts to manipulate sensitive Talk Voice configuration persistence, bypassing intended role-based access controls. A vendor-released patch is available via commit e34694733fc64931ed4a543c73d84ad3435d5df1. EPSS data unavailable; no CISA KEV listing or public exploit code identified at time of analysis, though the targeted nature (authenticated internal operators) suggests lower mass-exploitation risk than the CVSS 7.1 score might imply.
Remote code execution in OpenClaw gateway versions before 2026.3.31 allows attackers with trusted paired node credentials (role=node) to escalate privileges and execute arbitrary code on the gateway by abusing unrestricted agent.request dispatch functionality. The vulnerability stems from insufficient access controls on node.event agent requests, enabling low-privilege paired nodes to invoke gateway-side tools without restriction. EPSS exploitation probability and KEV status not yet available for this recently disclosed vulnerability, but a vendor patch and exploit details are publicly documented.
OpenClaw before version 2026.3.31 fails to block plugin installation when security scans detect threats, allowing authenticated users to install malicious plugins by ignoring visible scan warnings. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but enables installation of untrusted code with moderate integrity impact when exploited.
OpenClaw before version 2026.3.31 fails to properly validate message senders in Matrix thread root and reply context handling, allowing remote unauthenticated attackers to bypass sender allowlists and access filtered messages. The vulnerability requires user interaction and has low attack complexity, but impact is limited to information disclosure of message context that should have been restricted by access controls.
Authorization bypass in OpenClaw phone channel endpoints allows authenticated low-privilege users to arm or disarm phone-based alarm channels without required administrative rights. Versions prior to 2026.3.28 fail to validate operator.admin scope for /phone arm and /phone disarm API endpoints when accessed through external channels (CWE-863). Patch released via GitHub commit aa66ae1fc, with CVSS 7.1 reflecting network-accessible integrity impact requiring only low-privilege authentication. No active exploitation confirmed (not in CISA KEV); exploit development straightforward given simple API authorization flaw.
OpenClaw before version 2026.3.31 performs Discord audio preflight transcription without validating member authorization, allowing unauthenticated remote attackers to trigger resource-intensive audio processing and cause denial of service through resource exhaustion.
OpenClaw before 2026.3.31 allows authenticated users with approved host-exec requests to execute arbitrary code during build processes by overriding compiler binary environment variables (CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER) through an incomplete host-env-security-policy.json configuration. The vulnerability requires local access and prior authentication to an OpenClaw instance, but enables full code execution with inherited privileges during compilation. No public exploit code has been identified at time of analysis.
OpenClaw before version 2026.4.2 fails to normalize trailing-dot localhost hostnames in Chrome DevTools Protocol (CDP) discovery responses, allowing attackers to bypass loopback address protections. An unauthenticated remote attacker can craft malicious CDP discovery responses that return 'localhost.' (with trailing dot) instead of the standard 'localhost', causing the browser control mechanism to treat it as a different hostname and redirect authenticated browser sessions to attacker-controlled endpoints, potentially exposing sensitive browser state and authentication tokens.
Privilege escalation in OpenClaw chat.send API allows low-privileged gateway callers with write scope to execute admin-only session management operations. Attackers can forcibly reset user sessions, rotate session IDs, and archive chat transcripts without admin authorization by exploiting broken access control in the chat messaging path. This enables session hijacking and data manipulation attacks against legitimate users. Reported by VulnCheck disclosure team with vendor security advisory published; no public exploit or active exploitation confirmed at time of analysis.
Path traversal in OpenClaw's ACP dispatch mechanism allows authenticated remote attackers to read arbitrary files outside intended directories by manipulating inbound channel attachment paths. Attackers can bypass both attachment-cache and root directory security checks to access sensitive system files. Upstream fix available via GitHub commit 566fb73d9d, with versions prior to 2026.3.31 confirmed vulnerable. No CISA KEV listing at time of analysis, indicating targeted rather than widespread exploitation.
Environment variable disclosure in OpenClaw jq safe-bin policy allows authenticated remote attackers to extract sensitive credentials and configuration data. The vulnerability stems from incomplete filter blocking in jq program execution - specifically, the $ENV filter can bypass safe-bin restrictions to read process environment variables. Versions prior to 2026.3.28 are affected. No CISA KEV listing or public POC identified at time of analysis, but disclosure by VulnCheck indicates vendor-confirmed issue with available patch.
OpenClaw versions 2026.2.14 through 2026.3.24 fail to enforce guild and channel policy gates on Discord button and component interactions, allowing authenticated users to trigger privileged component actions from contexts where those actions should be blocked. The vulnerability bypasses channel policy enforcement via policy gate inconsistency, enabling privilege escalation within Discord servers where OpenClaw is deployed.
OpenClaw before version 2026.3.31 allows authenticated attackers to read arbitrary host files through improper validation in the appendLocalMediaParentRoots function, enabling exfiltration of credentials and sensitive data. The vulnerability permits model-initiated file access by exploiting a self-whitelisting mechanism that fails to properly validate media parent directory paths. Authentication is required, but the flaw affects confidentiality with a CVSS score of 6.0.
OpenClaw before version 2026.3.31 allows authenticated remote attackers to bypass sender allowlist filters when retrieving MS Teams thread history via Microsoft Graph API, enabling access to messages that should be restricted by security policies. The vulnerability affects organizations using OpenClaw's Teams integration and has been patched as of the specified version.
Remote authenticated attackers can overwrite arbitrary files on OpenClaw servers by uploading malicious tar archives containing symbolic links to the SSH sandbox feature. The vulnerability allows escaping sandbox restrictions to modify critical system files, enabling potential remote code execution or denial of service. Affects OpenClaw versions before 2026.3.31. No public exploit identified at time of analysis, with EPSS data unavailable for this recent CVE.
OpenClaw versions 2026.2.6 through 2026.3.24 allow authenticated remote attackers to read arbitrary files outside configured sandbox boundaries via path traversal in the Feishu extension's resolveUploadInput function during upload_image operations. The vulnerability bypasses file-system sandbox restrictions through improper path resolution, enabling confidentiality compromise of sensitive data accessible to the application process.
OpenClaw versions 2026.2.19 before 2026.3.31 allow authenticated attackers to suppress legitimate webhook events across different accounts in multi-tenant deployments by exploiting improper cache isolation in the Zalo webhook replay-deduplication mechanism. An attacker with control of one authenticated Zalo webhook path can match event_name and message_id parameters to suppress events on victim accounts, causing denial of service to webhook processing. No public exploit code or active exploitation has been identified, though the vulnerability requires valid authentication and incremental exploitation (AT:P), limiting immediate risk.
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protections.
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script contents.
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context.
OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive environment variables from parent processes to SSH child processes.
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway startup by exploiting enabled workspace hooks.
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows across chat sessions.
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attackers can exploit this by manipulating browser proxy profiles at runtime to access restricted profiles and bypass intended access controls.
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature verification.
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox constraints to bypass session-policy controls and access restricted session information.
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted group DM channels.
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints.
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service.
OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting malicious cross-origin redirect chains to intercept sensitive authorization credentials intended for legitimate requests.
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability.
OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gateway credentials or traffic.
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.
OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir operations to manipulate files between validation and execution.
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the replay process.
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and agent configurations.
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized images to cause denial of service through excessive memory consumption.
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords.
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files to execute untrusted code or load malicious credentials.
OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope.
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.
OpenClaw before version 2026.3.31 allows unauthenticated remote attackers to trigger resource-intensive audio transcription processing via Telegram without proper authorization, enabling denial-of-service through billing or infrastructure exhaustion. The vulnerability stems from insufficient allowlist enforcement that permits unauthorized group senders to initiate preflight transcription operations before authentication is validated, and no public exploit code has been identified at the time of analysis.
Sandbox bypass in OpenClaw (pre-2026.3.31) enables authenticated remote attackers to escalate privileges by manipulating heartbeat context inheritance and senderIsOwner parameters. Exploitation requires low attack complexity with present attack technique capability, achieving complete compromise of confidentiality, integrity, and availability across vulnerable and subsequent system scope. No active exploitation confirmed (not in CISA KEV), but VulnCheck disclosure indicates researcher-identified vulnerability with public GitHub commit and security advisory available.
Authorization bypass in OpenClaw before 2026.3.28 allows authenticated Discord users to approve pending host execution requests without proper privileges. Attackers with low-privileged Discord accounts can bypass the execApprovals.approvers allowlist by sending crafted Discord text commands, gaining unauthorized approval authority for exec requests. EPSS score is relatively low (0.06%, 18th percentile), and no active exploitation is confirmed, but the vulnerability enables complete compromise of the execution approval workflow with low attack complexity.
OpenClaw before version 2026.3.31 contains a server-side request forgery (SSRF) vulnerability in the marketplace plugin download functionality, where unguarded fetch() calls allow authenticated users with user interaction to make arbitrary network requests on behalf of the affected system. Remote attackers can access internal resources or interact with external services, potentially disclosing sensitive data or compromising internal infrastructure; no public exploit code or active exploitation has been identified at time of analysis.
OpenClaw before version 2026.3.31 fails to properly invalidate attacker-discovered endpoints during trust decline operations in remote onboarding workflows, allowing attackers to route gateway credentials to malicious endpoints by preserving their URLs through the trust decline process into manual operator acceptance prompts. The vulnerability requires user interaction (UI:A) but affects gateway credential confidentiality (VC:H), posing a significant risk to organizations using OpenClaw's remote onboarding feature with CVSS 6.9 (medium-high severity).
Authorization bypass in OpenClaw's chat.send gateway allows authenticated operator clients to spoof ACP (Access Control Provider) identity labels and inject reserved provenance metadata by manipulating WebSocket handshake client metadata. Attackers with low-privilege operator credentials can bypass intended privilege boundaries to impersonate the ACP bridge, achieving high integrity impact through unauthorized modification of chat message provenance. EPSS probability is low (0.05%, 15th percentile) and CISA SSVC indicates no active exploitation, non-automatable attacks, and partial technical impact. Vendor patch available as of version 2026.3.28.
OpenClaw before version 2026.4.2 fails to enforce write-scope authorization on the POST /sessions/:sessionKey/kill endpoint, allowing authenticated users with read-only credentials to terminate arbitrary subagent sessions. The vulnerability requires valid API credentials with read scope but does NOT require write permissions, enabling privilege escalation within identity-bearing authentication modes. No public exploit code has been identified, and this is not listed as actively exploited by CISA; however, the low CVSS score of 5.3 reflects the requirement for prior authentication rather than the ease of exploitation once credentials are obtained.
OpenClaw before version 2026.3.31 allows authenticated users to exploit server-side request forgery (SSRF) through unvalidated HTTP redirects in the marketplace plugin download functionality, enabling access to internal resources and potential information disclosure. The marketplace.ts module fails to validate redirect destinations during archive downloads, permitting remote attackers with valid credentials and user interaction to redirect requests to arbitrary internal or external servers. Real-world exploitation is limited by authentication and interaction requirements, keeping the baseline CVSS at 4.8 (medium), though impact depends on network exposure of internal services.
Remote filesystem bridge in OpenClaw (<2026.3.31) enables sandbox escape through a TOCTOU race condition in readFile validation. Authenticated remote attackers can exploit the timing gap between path validation and file read operations to bypass sandbox restrictions and access arbitrary files outside the intended security boundary, potentially compromising both confidentiality and integrity of the underlying system. EPSS score of 0.03% (7th percentile) suggests low probability of widespread exploitation despite CVSS 8.8 severity, though patch availability from vendor (commit 121870a) enables defenders to remediate proactively before active exploitation begins.
Malicious workspace plugins in OpenClaw versions before 2026.4.2 achieve arbitrary code execution by shadowing built-in channel IDs during workspace clone and setup operations. The vulnerability exploits a trust boundary flaw (CWE-829) where untrusted plugins execute before explicit user trust confirmation, requiring only that a victim clone a poisoned workspace repository. With CVSS 8.5 (High) and local attack vector requiring user interaction, real-world risk is moderate: EPSS probability sits at 0.01% (2nd percentile) with no confirmed active exploitation (not in CISA KEV), and SSVC assessment classifies it as non-automatable with total technical impact but no current exploitation.
OpenClaw versions before 2026.3.28 allow local attackers to inject malicious environment variables by placing a .env file in the current working directory, which is loaded before trusted state-directory configuration during application startup. This enables attackers to override security-sensitive runtime settings without privileges, achieving high confidentiality, integrity, and availability impact with low complexity when a user launches OpenClaw from a compromised directory. Exploitation probability is minimal (EPSS 0.01%, percentile 2%) with no active exploitation confirmed (not in CISA KEV), but a public advisory from VulnCheck describes the attack mechanism, making exploitation straightforward for local threat actors.
OpenClaw before version 2026.4.2 transmits stored gateway credentials over unencrypted WebSocket (ws://) connections when accepting non-loopback endpoints, allowing adjacent network attackers with user interaction to forge discovery results or craft malicious setup codes that redirect clients to attacker-controlled endpoints and exfiltrate plaintext credentials. No public exploit code has been identified, but the vulnerability requires proximity to the target network and user interaction to trigger the credential disclosure.
OpenClaw Client exposes PKCE verifier and stored credentials through unencrypted OAuth authorization URL query strings, allowing remote attackers to disclose authentication data when users initiate OAuth flows. The vulnerability requires user interaction (target must start authorization), has a CVSS score of 5.3 (medium), and affects all versions of OpenClaw Client. No active exploitation has been publicly reported, though the ZDI designation (ZDI-CAN-29381) indicates coordinated disclosure.
Unauthenticated remote attackers bypass authentication in OpenClaw canvas endpoints due to improper authentication implementation (CWE-291). Exploitation requires no user interaction and yields high confidentiality/integrity impact. Network-accessible attack vector with high complexity (CVSS:3.0 7.4 AV:N/AC:H/PR:N). No public exploit identified at time of analysis. Originally reported as ZDI-CAN-29311.
Authenticated remote attackers can traverse the file system through the OpenClaw canvas gateway endpoint to disclose sensitive information due to insufficient path validation. The vulnerability affects OpenClaw across unspecified versions and requires valid user credentials; attackers operating with low-privilege accounts can read arbitrary files in the service account context. No public exploit code or active exploitation has been identified at the time of analysis.
OpenClaw before version 2026.3.22 allows authenticated attackers to redirect webhook-triggered chat replies to unintended users by exploiting username-based recipient binding instead of stable numeric identifiers. An attacker with valid credentials can manipulate username changes to rebind webhook replies intended for one user to a different user, compromising message confidentiality and integrity. No public exploit code or active CISA exploitation data is available, but the vulnerability is confirmed patched by the vendor.
Privilege escalation in OpenClaw gateway-authenticated plugin HTTP routes allows authenticated attackers to bypass scope restrictions and gain operator.admin privileges. The vulnerability affects OpenClaw versions prior to 2026.3.25, enabling low-privileged authenticated users to perform unauthorized administrative actions through improperly minted runtime scopes. Exploitation requires network access and low-level authentication but no user interaction. No public exploit identified at time of analysis.
Path traversal in OpenClaw before 2026.3.24 allows authenticated sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameters. Incomplete validation in normalizeSandboxMediaParams and missing mediaLocalRoots context enables attackers to bypass sandbox boundaries and access sensitive data including API keys and configuration files outside designated roots. This cross-agent data leakage vulnerability requires low-privilege authentication but no user interaction. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.24 permits authenticated local attackers to trigger improper process termination via the !stop chat command, which uses an unpatched killProcessTree function that sends SIGKILL without graceful SIGTERM shutdown. This incomplete fix for CVE-2026-27486 enables attackers to corrupt data, leak resources, and skip security-sensitive cleanup operations, resulting in integrity compromise and denial of service.
Allowlist bypass in OpenClaw before 2026.3.22 permits authenticated attackers to execute arbitrary commands by wrapping disallowed executables with /usr/bin/time. The vulnerability exploits incomplete validation in system.run approvals, which fail to detect time wrapper prefixes, allowing reuse of approval state for inner prohibited commands. Remote exploitation requires low-privilege authentication (PR:L) with network access, enabling full system compromise through command injection. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.24 allows unauthenticated remote denial of service via the Feishu webhook handler, which accepts request bodies up to 1MB with a 30-second timeout before verifying the request signature. An attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests, blocking legitimate webhook deliveries and degrading service availability. This is an incomplete remediation of the earlier CVE-2026-32011.
OpenClaw before version 2026.3.25 contains an authentication bypass vulnerability in the raw card send surface that allows unauthenticated remote attackers to send malformed card commands, bypassing DM pairing restrictions and reaching callback handlers without proper authorization. This enables unpaired recipients to mint legacy callback payloads, resulting in integrity compromise of the messaging protocol. No public exploit code or active exploitation has been confirmed, but the low attack complexity and network accessibility make this a practical vulnerability.
Privilege escalation in OpenClaw versions prior to 2026.3.25 allows authenticated low-privilege operators to bypass pairing requirements during backend reconnection, self-requesting elevated scopes to gain operator.admin privileges. Attackers with existing operator credentials exploit improper scope validation (CWE-648) to escalate from limited operator access to full administrative control over the OpenClaw system. Exploitation requires network access and low-privilege authentication (CVSS:3.1 PR:L), enabling high-impact compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing authenticated leaf subagents to bypass access control and message child sessions beyond their authorized scope. An authenticated attacker with subagent privileges can exploit this via the send action to communicate with restricted child sessions without proper validation, resulting in unauthorized inter-session message relay. No public exploit code has been identified, but the vulnerability has a moderate CVSS score of 4.3 reflecting the integrity impact and low attack complexity.
OpenClaw before 2026.3.25 allows remote attackers to bypass Telegram direct message pairing requirements and mutate session state through weaker callback-only authorization mechanisms. An unauthenticated attacker can craft malicious Telegram callback queries in direct messages to modify session state without satisfying the normal DM pairing security controls, resulting in unauthorized state modification with CVSS 5.3 (medium severity).
Insufficient access control in OpenClaw Gateway agent allows authenticated attackers with operator.write permission to reset admin sessions without operator.admin authorization. By invoking /reset or /new endpoints with explicit sessionKey parameters, attackers bypass privilege requirements and terminate arbitrary administrative sessions, achieving high-impact session hijacking. Affects OpenClaw versions prior to 2026.3.23. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.22 accepts unresolved Bonjour and DNS-SD service discovery metadata to influence CLI routing decisions, allowing attackers on adjacent networks to redirect traffic to attacker-controlled targets through malicious TXT records. The vulnerability requires user interaction and adjacent network access but can cause information disclosure and integrity compromise without authentication.
Filesystem boundary bypass in OpenClaw before 2026.3.2 allows authenticated attackers to read arbitrary files by traversing sandbox bridge mounts outside the configured workspace, circumventing the tools.fs.workspaceOnly restriction. The vulnerability affects the image tool specifically and results in unauthorized information disclosure accessible via network with low complexity.
OpenClaw before version 2026.3.25 allows authenticated attackers to bypass authorization checks on the /sessions/:sessionKey/history HTTP endpoint, enabling unauthorized access to session history data without requiring operator.read scope permissions. The vulnerability affects all OpenClaw versions prior to 2026.3.25 and requires valid authentication credentials to exploit; no public exploit code or active exploitation has been identified at time of analysis.
OpenClaw before version 2026.3.22 contains an authentication bypass vulnerability in X-Forwarded-For header processing when trustedProxies is configured, allowing unauthenticated remote attackers to spoof loopback client addresses and bypass canvas authentication and rate-limiting protections. The vulnerability exploits improper validation of forwarding headers to masquerade as local loopback connections, with a CVSS score of 6.5 reflecting moderate confidentiality and integrity impact but no direct availability impact.
OpenClaw before version 2026.3.22 allows authenticated remote attackers to spoof tool identities through rawInput parameters, bypassing ACP permission resolution and suppressing dangerous-tool prompting via identity hint conflicts between rawInput and metadata. This authentication bypass with high integrity impact affects all versions prior to the fixed release, enabling attackers to circumvent security restrictions intended to prevent execution of dangerous operations.
Incorrect authorization in OpenClaw pre-2026.3.24 allows authenticated users with operator.write access to browser.request capability to invoke POST /reset-profile endpoint, bypassing privilege restrictions to terminate running browsers, sever Playwright connections, and relocate profile directories to system Trash. Exploitation requires low-privilege authentication (CVSS PR:L) but achieves high integrity and availability impact through unauthorized state mutation and service disruption across intended security boundaries. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.22 suffers from an authorization bypass in its interactive callback dispatch mechanism that permits unauthenticated remote attackers to execute action handlers without sender allowlist validation. The vulnerability exploits a race condition or timing gap where callbacks are processed before security checks complete, enabling unauthorized state modification and availability impact. No public exploit code or active exploitation has been confirmed at time of analysis, but the low attack complexity and lack of authentication requirements make this a practical threat to exposed OpenClaw deployments.
OpenClaw versions 2026.2.13 through 2026.3.24 allow unauthenticated remote attackers to inject ANSI escape sequences into approval prompts and permission logs via malicious tool metadata, enabling spoofing of terminal output and manipulation of displayed information. The vulnerability requires user interaction (display of the approval prompt) and results in integrity impact only, with a CVSS score of 4.3. A vendor patch is available.
Remote code execution in OpenClaw versions prior to 2026.3.22 allows authenticated attackers to bypass shared host environment policy via inconsistent environment variable sanitization. Attackers exploit validation inconsistencies by supplying malformed or blocked override keys that evade filtering mechanisms, enabling arbitrary code execution with unauthorized environment variable configurations. Vulnerability requires low-privilege authentication and high attack complexity. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.22 allows unauthenticated remote attackers to bypass access control denials by exploiting improper handling of empty allowlists during settings reconciliation, silently restoring previously revoked permissions. The vulnerability treats explicitly empty allowlists as unset rather than as explicit deny-all configurations, enabling attackers to undo intended access revocations without authentication. With a CVSS score of 6.5 and network-accessible attack vector, this represents a moderate-severity logic flaw affecting access control enforcement.
OpenClaw before version 2026.3.22 allows policy bypass through unvalidated queued node actions, enabling attackers to execute unauthorized commands by exploiting stale allowlists or policy declarations that persist after policy changes. The vulnerability requires network access and high attack complexity but no authentication, resulting in integrity impact without exposing confidentiality or availability. No public exploit code or active exploitation has been confirmed.
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass direct message policy controls by sending verification notices to users outside configured allowed peer lists. The vulnerability stems from insufficient access validation checks applied to verification notice transmission, enabling attackers to contact users who have restricted direct messaging policies in place. CVSS score of 5.3 reflects moderate integrity impact with low attack complexity and no authentication requirements.