Openclaw
Monthly
OpenClaw before version 2026.3.24 allows authenticated operator.write-scoped clients to escalate privileges and modify channel authorization policies normally restricted to operator.admin scope through improper scope re-validation in the /allowlist command. Attackers with write-level permissions can exploit the chat.send function to construct an internal command-authorized context and persist unauthorized changes to channel allowFrom and groupAllowFrom policies, effectively bypassing access control mechanisms.
OpenClaw before version 2026.3.24 fails to enforce authorization checks in the /send and /allowlist chat command handlers, allowing authenticated users with operator.write scope to bypass owner-only restrictions and modify session delivery policies and allowlist configurations. Attackers can persistently alter sendPolicy settings and add entries to allowlists without proper admin authorization, resulting in integrity and availability impacts within the affected session.
OpenClaw before version 2026.3.24 allows authenticated operators with only operator.approvals scope to enumerate sensitive gateway model metadata via the HTTP /v1/models endpoint, bypassing stricter WebSocket RPC authorization controls. Attackers with limited operator privileges can access information that should be restricted to higher-privilege read scopes, resulting in unauthorized information disclosure.
Server-side request forgery (SSRF) in OpenClaw's assertPublicHostname handler (src/agents/tools/web-fetch.ts) allows remote attackers to craft requests that bypass hostname validation and reach internal or restricted systems. Affected versions up to 2026.1.26 are vulnerable; the attack requires high complexity but publicly available exploit code exists. Vendor-released patch version 2026.1.29 (commit b623557a2ec7e271bda003eb3ac33fbb2e218505) resolves the issue.
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass pre-authentication rate limiting on webhook token validation, enabling brute-force attacks against weak webhook secrets through rapid successive requests. The vulnerability stems from absent throttling on invalid token rejection attempts, permitting attackers to enumerate valid tokens without login credentials or triggering defensive rate-limiting mechanisms.
OpenClaw before version 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that improperly uses a synthetic operator.admin runtime scope, allowing authenticated attackers to execute privileged operations with unintended administrative access by triggering session deletion without a request-scoped client. CVSS score of 6.1 reflects the requirement for low-level user authentication (PR:L) and network accessibility; patch availability is confirmed.
Credential exposure in OpenClaw gateway snapshots enables authenticated attackers with operator.read scope to extract embedded authentication tokens from channel configuration URLs. Attackers query config.get and channels.status API endpoints to retrieve gateway snapshots containing credentials in URL userinfo components of baseUrl and httpUrl fields. Affects OpenClaw versions prior to 2026.3.22. Authentication required (PR:L); no public exploit identified at time of analysis.
OpenClaw before version 2026.3.25 allows authenticated attackers to bypass authorization controls in mention-gated groups by triggering reaction events that circumvent the requireMention access control mechanism, enabling them to enqueue agent-visible system events that should remain restricted. This medium-severity vulnerability (CVSS 5.3) affects the integrity of group-based access policies and requires user interaction at the network level but leverages low privilege requirements.
OpenClaw before version 2026.3.25 processes JSON webhook request bodies before validating cryptographic signatures, allowing unauthenticated remote attackers to trigger denial of service by submitting malicious webhook payloads that force computationally expensive JSON parsing operations. The vulnerability exploits a logic-ordering defect where signature validation occurs after resource-intensive parsing, enabling attackers to exhaust server resources without valid credentials. No public exploit code has been identified at the time of analysis, though the attack requires only network access and is trivially exploitable.
Privilege escalation in OpenClaw before 2026.3.22 enables authenticated attackers with operator.pairing approver role to escalate privileges to operator.admin through insufficient scope validation in the device.pair.approve method. Exploitation allows approval of device requests with broader operator scopes than the approver legitimately holds, ultimately enabling remote code execution on Node infrastructure. Affects OpenClaw deployments where role-based access control enforces operator privilege hierarchies. No public exploit identified at time of analysis.
Privilege escalation in OpenClaw Control UI enables unauthenticated attackers to claim arbitrary privileged scopes without device identity verification. By exploiting the trusted-proxy mechanism's device-less allow path, attackers bypass authentication requirements and maintain elevated permissions across sessions. Affects OpenClaw versions prior to 2026.3.22. Attackers with low-privilege access can escalate to high-impact confidentiality and integrity compromise. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.22 performs cite expansion before completing channel and direct message authorization checks, allowing unauthenticated remote attackers to access or manipulate content prior to authorization validation. This timing vulnerability exposes information disclosure and potential content tampering risks due to premature processing of cite operations that bypass security boundaries.
OpenClaw before version 2026.3.23 contains an authentication bypass in the Canvas gateway where the authorizeCanvasRequest() function unconditionally allows local-direct requests without validating bearer tokens or Canvas capabilities, enabling unauthenticated attackers on the local system to send loopback HTTP and WebSocket requests to bypass authentication and access Canvas routes. The vulnerability requires local network access but no prior authentication, affecting all versions prior to the patched release.
OpenClaw before version 2026.3.22 allows remote attackers to trigger denial of service through unbounded memory allocation in HTTP error handling for remote media endpoints. By sending specially crafted HTTP error responses with large bodies, unauthenticated attackers can exhaust application memory, causing availability degradation. The vulnerability requires only network access and no user interaction, making it a practical attack vector for service disruption.
OpenClaw through version 2026.2.22 allows authenticated local attackers to execute arbitrary code or manipulate system files via symlink traversal in the agents.create and agents.update handlers. The vulnerability stems from unsafe use of fs.appendFile on IDENTITY.md without validating symlink targets, permitting attackers with workspace access to plant symlinks pointing to sensitive files like crontab or SSH configuration directories and inject malicious content through the agent creation/update process.
Authorization bypass in OpenClaw versions prior to 2026.3.22 allows authenticated low-privilege users to execute administrative control-plane operations through internal ACP chat commands. The vulnerability stems from missing operator.admin scope enforcement on mutating commands, enabling unauthorized users to invoke privileged actions that modify system configuration or state. Exploitation requires authenticated access but no elevated privileges, permitting lateral privilege escalation to administrative functions. No public exploit identified at time of analysis.
Server-side request forgery (SSRF) in OpenClaw before version 2026.3.25 allows authenticated attackers to bypass configured endpoint protections through unguarded fetch() calls in channel extensions, enabling rebinding of requests to internal resources and potential unauthorized access to restricted services. The vulnerability affects multiple channel extensions that fail to properly validate or restrict base URL usage, with a CVSS score of 5.3 reflecting moderate risk due to required authentication and limited initial impact scope.
OpenClaw before version 2026.3.25 lacks rate limiting on Telegram webhook authentication, enabling unauthenticated remote attackers to brute-force weak webhook secrets through repeated guesses without throttling. This vulnerability permits systematic credential enumeration, potentially allowing attackers to forge webhook messages and intercept or manipulate Telegram-based communications processed by affected OpenClaw deployments. No public exploit code or active exploitation has been confirmed at this time.
OpenClaw before 2026.3.22 processes cryptographic operations on inbound Nostr direct messages prior to validating sender identity and pairing status, allowing unauthenticated remote attackers to trigger denial of service through resource exhaustion by sending crafted messages. CVSS 6.9 reflects moderate impact with low integrity and availability degradation; no public exploit code or active exploitation has been confirmed.
Unauthenticated resource exhaustion in OpenClaw before 2026.3.22 allows remote attackers to cause denial of service by sending large or malicious webhook requests to the voice call handler, which buffers request bodies before validating provider signatures. The vulnerability requires only network access (AV:N, PR:N) and can be exploited with low complexity, making it a practical attack vector for disrupting service availability.
Privilege escalation in OpenClaw (versions prior to 2026.3.25) enables authenticated local attackers to silently elevate permissions from operator.read to operator.admin during shared-auth reconnection events, achieving remote code execution on affected nodes. The vulnerability exploits auto-approval of scope-upgrade requests in local reconnection flows, requiring low-privilege local access (PR:L) with no user interaction. No public exploit identified at time of analysis. Vendor-released patch available via commit 81ebc7e0344fd19c85778e883bad45e2da972229.
OpenClaw before version 2026.3.22 uses room names instead of stable tokens for Nextcloud Talk room authorization, allowing authenticated attackers to bypass allowlist policies by creating similarly named rooms and gaining unauthorized access to protected conversations. The vulnerability requires low privileges and high attack complexity but poses a direct confidentiality and integrity risk to room access controls. No public exploit code or active exploitation has been reported.
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to brute-force webhook authentication credentials due to missing rate limiting on password validation attempts. The vulnerability enables attackers to perform repeated authentication guesses against the webhook endpoint without throttling, potentially compromising webhook security and gaining unauthorized access to webhook functionality.
OpenClaw's Plivo V2 signature verification implementation allows remote attackers to bypass replay protection and forge authenticated requests by manipulating URL query parameters. The flaw affects OpenClaw versions before 2026.3.23 and stems from deriving replay protection keys from the full URL including query strings rather than the canonical base URL, enabling attackers to create new valid request signatures by modifying only query parameters on previously signed requests. With 8% EPSS percentile and high attack complexity (AC:H), this represents moderate real-world risk despite the 8.3 CVSS score. Public proof-of-concept commits demonstrate the vulnerability, though no active exploitation is confirmed.
Authorization bypass in OpenClaw versions prior to 2026.3.25 enables authenticated users to terminate arbitrary subagent sessions through the /sessions/:sessionKey/kill HTTP endpoint. Exploiting CWE-863 improper authorization, low-privilege authenticated attackers execute admin-level killSubagentRunAdmin functions without ownership or operator scope validation, achieving high integrity and availability impact on targeted sessions. No public exploit identified at time of analysis.
OpenClaw before version 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in Gemini OAuth flows, exposing cryptographic material through the redirect URL and enabling attackers who capture the URL to obtain both the authorization code and PKCE verifier, defeating PKCE protection and allowing unauthorized token redemption. The vulnerability requires user interaction (redirect capture) but has high confidentiality impact affecting OAuth security mechanisms; it is an information disclosure flaw in the OAuth implementation itself rather than a remote code execution threat.
OpenClaw prior to commit b57b680 allows authenticated users to bypass the approval system by exploiting inconsistent environment variable normalization between approval validation and execution paths. An attacker with low privileges can inject non-portable environment variable keys that are filtered during operator review but accepted at runtime, potentially enabling execution of attacker-controlled binaries. This vulnerability has a CVSS score of 6.9 (medium-high impact) and requires user interaction but affects the integrity of the approval workflow.
OpenClaw versions prior to commit 8aceaf5 allow authenticated remote attackers to bypass shell-bleed protection validation by crafting complex command forms such as piped execution, command substitution, or subshell invocation, enabling execution of arbitrary script content that should be blocked. The vulnerability affects the validateScriptFileForShellBleed() parser, which fails to recognize obfuscated command structures; no public exploit code has been identified at time of analysis, though a vendor patch is available.
Server-side request forgery in OpenClaw before 2026.3.28 allows unauthenticated remote attackers to fetch internal URLs through unguarded image download operations in the fal provider image-generation-provider.ts component, enabling exposure of internal service metadata and responses via the image pipeline. CVSS 5.3 indicates moderate integrity impact without authentication requirements. No public exploit code or active exploitation confirmed at time of analysis.
WebSocket session fixation in OpenClaw before version 2026.3.28 enables attackers to maintain unauthorized access after credential revocation. The vulnerability permits unauthenticated remote attackers (CVSS PR:N) to exploit persistent WebSocket connections that fail to terminate when device tokens are revoked, resulting in high confidentiality impact. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity. EPSS data not available; affects OpenClaw deployments with WebSocket-based device communication.
OpenClaw before version 2026.3.24 contains a sandbox bypass vulnerability in its message tool that allows local attackers to read arbitrary files by manipulating mediaUrl and fileUrl alias parameters to circumvent localRoots validation. The vulnerability exploits improper input sanitization in file request routing, enabling unauthorized disclosure of sensitive files outside the intended sandbox directory without requiring authentication or user interaction.
Brute-force attacks against OpenClaw webhook authentication allow unauthenticated remote attackers to forge Nextcloud Talk webhook events by exploiting missing rate limiting on shared secret validation. Affecting OpenClaw versions prior to 2026.3.28, attackers can repeatedly attempt authentication without throttling to compromise weak shared secrets and inject malicious webhook payloads. CVSS 9.8 critical severity reflects network-accessible attack surface requiring no authentication. No public exploit identified at time of analysis, though EPSS data not available. Vendor-released patch available via commit e403decb6e20091b5402780a7ccd2085f98aa3cd.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access by exploiting missing scope validation in the device pairing approval workflow. The /pair approve command fails to forward caller scopes during approval checks, enabling attackers with basic pairing privileges-or potentially no privileges given the CVSS PR:N vector-to approve device requests with elevated admin scopes. EPSS data not available; no public exploit identified at time of analysis, though the CVSS 9.8 reflects trivial exploitation due to network accessibility, low complexity, and no authentication barrier. Vendor-released patch: commit e403dec (2026.3.28+).
Privilege escalation in OpenClaw versions prior to 2026.3.28 enables unauthenticated remote attackers to approve node pairings with unauthorized elevated scopes, bypassing authorization controls through missing callerScopes validation in the node pairing approval mechanism. This vulnerability (CWE-863: Incorrect Authorization) allows attackers to extend privileges onto paired nodes beyond their intended authorization level. CVSS 9.8 Critical with network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis, with EPSS data not available for this recent CVE.
Unauthenticated attackers can force OpenClaw versions before 2026.3.28 to download and store arbitrary media files through Zalo messaging channels, bypassing sender authorization checks. The flaw allows remote exploitation without authentication (CVSS 9.8 critical) to consume network bandwidth and storage resources. No public exploit identified at time of analysis, though the attack vector is straightforward given the lack of pre-validation authorization checks. Vendor-released patch available via commit 68ceaf7a5.
OpenClaw before version 2026.3.12 allows authenticated attackers to bypass rate limiting on webhook secret validation by exploiting a logic flaw that applies rate limits only after successful authentication, enabling brute-force attacks against webhook credentials and injection of forged Zalo webhook traffic. The vulnerability requires authenticated access but results in high-confidence credential compromise.
Webhook secret brute-forcing in OpenClaw before 2026.3.12 enables attackers to forge authenticated webhooks by exploiting pre-authentication rate limit bypass. Unauthenticated remote attackers can systematically guess webhook secrets without triggering rate limiting (which only applies post-authentication), then submit forged webhook payloads to compromise system integrity and confidentiality. CVSS 9.8 (Critical) with network attack vector and no authentication required. No public exploit identified at time of analysis, though exploitation requires only standard HTTP tooling. EPSS data not available; exploitation appears automatable given the straightforward nature of brute-force attacks against webhook endpoints.
Sandbox escape in OpenClaw (before version 2026.3.11) allows local authenticated users to write arbitrary files outside validated directories via a TOCTOU race condition during staged file writes. The fs-bridge component fails to anchor temporary file operations to verified parent directories, enabling attackers to manipulate path aliases between validation and execution phases. CVSS 7.5 (High) reflects the local attack vector with high complexity, but scope change (S:C) indicates potential container/sandbox breakout. No public exploit identified at time of analysis, though the race condition vulnerability class (CWE-367) is well-understood by attackers.
Telegram bot token exposure in OpenClaw's media download error handling allows unauthenticated remote attackers to harvest sensitive API credentials through information disclosure. Versions prior to 2026.3.13 embed complete Telegram file URLs containing bot tokens in MediaFetchError exceptions, leaking credentials to application logs and error surfaces. With EPSS data unavailable and no CISA KEV listing, no public exploit identified at time of analysis, though the vulnerability requires minimal technical sophistication to exploit given the network-accessible attack vector and low complexity (CVSS:3.1/AV:N/AC:L/PR:N).
OpenClaw before 2026.3.11 allows authenticated local attackers to bypass sandbox boundaries and write files outside validated paths via a time-of-check-time-of-use race condition in the fs-bridge writeFile commit operation. An attacker with local access and sufficient privileges can exploit unanchored container paths during file move operations to redirect committed files outside the sandbox, achieving arbitrary file write capabilities within the container mount namespace. No public exploit code or active exploitation has been confirmed.
OpenClaw before version 2026.3.11 allows authenticated users to bypass authorization restrictions and modify protected configuration on sibling accounts through channel commands, despite configWrites: false restrictions. An attacker with legitimate access to one account can execute /config set commands targeting another account's channel provider configuration, achieving unauthorized modification of settings across account boundaries. This vulnerability is neither actively exploited nor known to have public proof-of-concept code available.
Command substitution in OpenClaw's node-host approval system allows authenticated attackers with low privileges to execute arbitrary local code by deceiving operators through mismatched approval displays. The system shows extracted shell payloads during approval but executes different argv commands, enabling wrapper-binary attacks where approved commands differ from executed commands. Authentication is required (PR:L) with high attack complexity (AC:H) and user interaction (UI:R). No public exploit identified at time of analysis, though the vulnerability class (CWE-451: UI Misrepresentation of Critical Information) indicates the technical mechanism is well-understood.
OpenClaw before version 2026.3.11 allows local authenticated users to bypass local authentication boundaries through a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are incorrectly treated as unset, enabling fallback to remote credentials in local-only mode. The vulnerability requires local access and specific misconfiguration of auth references but can result in information disclosure if an attacker selects incorrect credential sources via CLI and helper paths. No public exploit code or active exploitation has been identified.
OpenClaw before 2026.3.8 allows authenticated remote attackers to bypass approval controls in the system.run function by obtaining approval for a script, modifying the approved script file before execution, and executing malicious content while preserving the approved command structure. This approval-execution window vulnerability enables privilege escalation and code execution with low complexity and no user interaction required. No public exploit code or active exploitation has been confirmed at the time of analysis.
Remote code execution in OpenClaw (versions prior to 2026.3.12) enables attackers to execute arbitrary malicious code when users open compromised repositories. The vulnerability stems from automatic plugin loading from .OpenClaw/extensions/ directories without trust verification, allowing attackers to embed malicious workspace plugins in cloned Git repositories. CVSS 9.8 (Critical) reflects network-based exploitation requiring no authentication or user interaction. No public exploit identified at time of analysis, though the attack mechanism is straightforward for social engineering scenarios targeting developers.
Remote command injection in OpenClaw's iMessage attachment staging mechanism (versions prior to 2026.3.13) allows unauthenticated network attackers to execute arbitrary commands on configured remote hosts via malicious attachment paths. The critical flaw stems from unsanitized shell metacharacters passed directly to SCP operations, achieving full system compromise (CVSS 9.8) when remote attachment staging is enabled. EPSS data and KEV status not provided; publicly available exploit code exists (GitHub commit demonstrates the fix, implying POC-level understanding in security community).
Authorization bypass in OpenClaw 2026.3.7 through 2026.3.10 enables remote unauthenticated attackers to execute privileged gateway operations through plugin subagent routes. The vulnerability exploits synthetic operator clients with excessive administrative scopes, allowing attackers to delete sessions and execute agent commands without authentication. CVSS 7.7 (High) with network attack vector but high complexity (AC:H). No public exploit identified at time of analysis, though technical details are available via GitHub security advisory and VulnCheck analysis.
Credential exposure in OpenClaw gateway pairing mechanism allows remote attackers to extract and reuse long-lived shared gateway credentials embedded in pairing setup codes. Attackers who obtain QR codes or pairing tokens from chat logs, screenshots, or system logs can recover persistent gateway credentials intended for one-time use, enabling unauthorized gateway access without authentication. EPSS data not available; no public exploit identified at time of analysis. Affects OpenClaw versions prior to 2026.3.12.
OpenClaw before version 2026.3.8 allows local authenticated attackers to write files outside the intended tools directory through a time-of-check-time-of-use (TOCTOU) path traversal vulnerability in the skills download installer. An attacker with local access and low privileges can rebind the tools-root symbolic link or path between the initial validation check and the final archive extraction, causing the installer to write malicious files to arbitrary locations on the system. While the attack requires local access and moderate effort (high complexity), successful exploitation grants the attacker arbitrary file write capability with potential impact on system integrity and availability.
Authorization bypass in OpenClaw gateway agent RPC enables authenticated operators with operator.write permission to escape workspace boundaries and execute arbitrary operations outside designated directories. Attackers supply malicious spawnedBy and workspaceDir parameters to perform file and exec operations from any process-accessible location. CVSS 8.7 reflects high confidentiality, integrity, and availability impact with network attack vector and low complexity. No public exploit identified at time of analysis, though EPSS data unavailable. VulnCheck identified this as an information disclosure vector affecting OpenClaw versions prior to 2026.3.11.
OpenClaw before 2026.2.17 stores session transcript JSONL files with overly permissive default file permissions, enabling local authenticated users to read transcript contents and extract sensitive information including secrets from tool output. The vulnerability requires local access and authenticated status on the system, affecting confidentiality of cached session data. No public exploit code or active exploitation has been confirmed, though the attack surface is high given the local nature and ease of file access.
Bootstrap setup code replay in OpenClaw before 2026.3.13 enables unauthenticated remote attackers to escalate privileges to operator.admin during device pairing. The vulnerability (CWE-294: Capture-replay) in src/infra/device-bootstrap.ts permits multiple verification attempts of valid bootstrap codes before approval, allowing escalation of pending pairing scopes. CVSS 9.3 (Critical) reflects network-accessible attack with low complexity and no user interaction required. EPSS data unavailable; no public exploit identified at time of analysis. Vendor-released patch available via GitHub commit 1803d16d.
Resource exhaustion in OpenClaw webhook endpoint allows remote attackers to consume server memory and processing resources via unauthenticated Telegram webhook POST requests. OpenClaw versions prior to 2026.3.13 process and buffer entire request bodies before validating authentication tokens, enabling denial-of-service attacks with no authentication required. CVSS 8.7 (High) reflects network-accessible, low-complexity attack with high availability impact. No public exploit identified at time of analysis, though the attack technique is straightforward given the architectural flaw.
Time-of-check-time-of-use (TOCTOU) race condition in OpenClaw runtime (<2026.3.11) allows local authenticated attackers with low privileges to execute arbitrary code by modifying approved scripts between authorization and execution phases. The vulnerability (CWE-367) enables privilege escalation to the OpenClaw runtime user context, requiring user interaction but trivial attack complexity. No public exploit identified at time of analysis, though EPSS data unavailable and CVE not present in CISA KEV catalog.
Approval bypass in OpenClaw before 2026.3.11 allows low-privileged remote attackers to execute arbitrary code by exploiting race conditions in system.run approvals. Attackers obtain legitimate approval for benign scripts, then overwrite referenced files before execution via vulnerable tsx/jiti runners. With CVSS 9.4 (critical severity, network-accessible, low complexity) and EPSS data not yet available for this 2026 CVE, organizations using OpenClaw's script execution features face immediate risk despite requiring user interaction and low-level authentication. No public exploit identified at time of analysis, though the approval bypass mechanism is documented in vendor advisory GHSA-qc36-x95h-7j53.
OpenClaw before version 2026.3.12 allows authentication bypass in Zalouser allowlist mode by matching mutable group display names instead of stable identifiers, enabling attackers to create identically-named groups and route messages from unauthorized groups to the agent. The vulnerability requires network access and no authentication, affecting the confidentiality and integrity of message routing with a CVSS score of 6.9. No public exploit code has been identified at time of analysis.
Execution allowlist bypass in OpenClaw (versions prior to 2026.3.11) enables unauthenticated remote attackers to execute arbitrary commands by exploiting improper pattern normalization in matchesExecAllowlistPattern. The vulnerability stems from lowercasing and overly permissive glob matching logic that incorrectly allows the ? wildcard to match across POSIX path segments, circumventing intended security restrictions. No public exploit identified at time of analysis, though CVSS 8.8 severity reflects network-accessible attack vector with no authentication required and high integrity/availability impact.
Privilege escalation in OpenClaw versions prior to 2026.3.11 allows authenticated users with operator.write permissions to execute administrative browser profile management functions, bypassing role-based access controls. Attackers can persist malicious remote Chrome DevTools Protocol (CDP) endpoints to disk, enabling potential remote code execution or session hijacking without operator.admin privileges. EPSS data not available; no public exploit identified at time of analysis. CVSS 7.1 (High) reflects network-accessible attack requiring only low-privileged authentication.
OpenClaw before version 2026.3.12 permits authorization bypass in Feishu reaction event handling when chat_type parameters are omitted, causing group chat events to be misclassified as peer-to-peer conversations and allowing attackers to circumvent groupAllowFrom and requireMention security controls. Unauthenticated remote attackers can exploit this with low complexity to achieve partial confidentiality and integrity impacts. No public exploit code has been identified, but the vulnerability is straightforward to trigger once the root cause is understood.
OpenClaw before version 2026.3.11 allows authenticated non-allowlisted Discord guild members to bypass authorization checks on reaction ingestion events, enabling them to inject arbitrary reaction text into downstream session context that is trusted as legitimate system events. This authentication-required authorization bypass affects all OpenClaw deployments integrating Discord guild reaction handling and has a CVSS score of 5.3 with confirmed patch availability.
Privilege escalation in OpenClaw device token rotation (versions before 2026.3.11) enables authenticated attackers with operator.pairing scope to mint tokens with arbitrary elevated scopes, including operator.admin privileges. This scope validation bypass permits remote code execution on connected nodes via system.run API and unauthorized gateway-admin access. CVSS 9.4 (Critical) with network attack vector and low complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis, though technical details disclosed via GitHub security advisory increase exploitation risk.
OpenClaw before version 2026.3.11 allows authenticated operators with write-scoped permissions to bypass authorization controls and execute admin-only session reset functionality. Attackers holding operator.write privileges can issue agent requests containing /new or /reset slash commands to reset conversation state without requiring operator.admin credentials, resulting in unauthorized modification of session data. This vulnerability has a CVSS score of 6.9 and affects the core authorization logic that protects sensitive administrative operations.
Session sandbox escape in OpenClaw versions prior to 2026.3.11 allows local authenticated attackers with low-privilege sandboxed subagent access to read and modify session data across isolation boundaries by manipulating sessionKey parameters in the session_status tool. Exploitation enables unauthorized access to parent or sibling session state including persisted model overrides, bypassing critical security isolation controls. No public exploit identified at time of analysis, though the authentication bypass mechanism is clearly documented in vendor security advisory.
Sandbox escape in OpenClaw versions before 2026.3.11 enables low-privilege leaf subagents to bypass isolation boundaries and manipulate sibling processes with elevated tool policies. Local authenticated attackers can terminate competing worker threads, redirect execution flows, and execute operations outside their intended security context by exploiting insufficient authorization on subagent control APIs. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though the technical advisory provides detailed vulnerability mechanics.
Privilege escalation in OpenClaw versions before 2026.3.12 allows authenticated users with command authorization to access owner-restricted configuration and debug endpoints due to missing permission checks. Attackers can read and modify privileged settings intended only for owners, effectively bypassing role-based access controls. CVSS 8.7 (High) with EPSS data unavailable; no public exploit identified at time of analysis, though the vulnerability class (CWE-863: incorrect authorization) is commonly targeted once disclosed.
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files including system configurations, environment files, and SSH private keys by bypassing media parsing validation functions. The vulnerability stems from incomplete path validation in isLikelyLocalPath() and isValidMedia() functions, with an allowBareFilename bypass permitting sandbox escape. Vendor-released patch available in commit 4797bbc (CVSS 8.7, no public exploit identified at time of analysis).
OpenClaw versions prior to 2026.3.7 contain a critical header validation flaw in the fetchWithSsrFGuard function that leaks sensitive authorization headers (including X-Api-Key and Private-Token) across cross-origin redirects. An attacker can exploit this remotely without authentication by triggering HTTP redirects to attacker-controlled domains, intercepting credentials intended for legitimate services. With a CVSS score of 9.3 and network-accessible attack vector requiring low complexity, this represents a significant information disclosure risk, though no active exploitation (KEV) or public POC has been reported at this time.
OpenClaw versions prior to 2026.3.1 contain an approval bypass vulnerability in the system.run function that allows attackers to execute a different binary than the one approved by an operator. The vulnerability stems from non-path-like argv[0] tokens failing to bind to executable identity, enabling post-approval PATH manipulation to redirect execution to attacker-controlled binaries. With a CVSS score of 7.3 and requiring local access with low privileges and user interaction, this represents a significant privilege escalation and integrity bypass risk in environments using OpenClaw's execution approval mechanisms.
OpenClaw before version 2026.2.19 contains a command injection vulnerability in the tools.exec.safeBins function that allows local attackers with limited privileges to bypass stdin-only execution restrictions through specially crafted sort output flags (sort -o) or recursive grep flags (grep -R). An authenticated attacker can exploit this to perform arbitrary file writes or reads, circumventing the intended safe-bin execution model that restricts command capabilities. A patch is available from the vendor, and this vulnerability has been documented by VulnCheck with supporting technical details.
OpenClaw before version 2026.2.26 contains an authorization bypass vulnerability in group allowlist policy evaluation that improperly accepts sender identities from DM pairing-store approvals. Attackers with low privileges can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized access to restricted groups. The vulnerability carries a moderate CVSS score of 4.6 with user interaction required, and patches are available from the vendor.
OpenClaw before version 2026.3.2 contains a symlink traversal vulnerability in the stageSandboxMedia function that allows local attackers with limited privileges to overwrite arbitrary files outside the intended sandbox workspace. By exploiting unvalidated destination paths in media/inbound write operations, an attacker can follow symlinks to modify host files beyond sandbox boundaries, resulting in integrity compromise and potential system availability impact. A patch is available from the vendor.
OpenClaw contains a server-side request forgery (SSRF) vulnerability in its web search citation redirect resolution mechanism that allows unauthenticated remote attackers to trigger requests to internal network destinations from the OpenClaw gateway host. OpenClaw versions prior to 2026.3.1 are affected. Attackers who can influence citation redirect targets can exploit this to access private network resources, with a CVSS score of 8.3 indicating high severity with low complexity and no privileges required.
OpenClaw before version 2026.3.2 contains a semantic drift vulnerability in the node system.run approval hardening mechanism that allows attackers to manipulate wrapper command arguments (argv) to execute unintended local scripts. An attacker with local access, low privileges, and the ability to influence wrapper argv and place malicious files in the approved working directory can achieve arbitrary script execution by exploiting argv rewriting that bypasses the intended approved command enforcement. A patch is available from the vendor, and this vulnerability affects all OpenClaw versions prior to 2026.3.2.
OpenClaw before version 2026.2.22 contains an authorization bypass vulnerability in allowlist mode that allows attackers with high privileges to approve benign wrapped system.run commands and subsequently execute arbitrary commands without requiring additional approval on gateway and node-host execution flows. This vulnerability exploits allow-always persistence at the wrapper level to broaden trust boundaries beyond the initial approval scope. The vulnerability has a CVSS score of 6.4 with high impact on confidentiality, integrity, and availability, though exploitation requires high privilege level and user interaction.
OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that enables unauthenticated remote attackers to exhaust server memory by sending repeated HTTP requests with varying query string parameters. This affects OpenClaw versions prior to 2026.3.1. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and lack of authentication requirements, though no evidence of active exploitation (KEV) or public proof-of-concept has been identified at this time.
OpenClaw before version 2026.2.22 contains a critical allowlist bypass vulnerability in the system.run function that allows authenticated local attackers to execute arbitrary commands by circumventing security controls. An attacker with local access and low privileges can inject shell line-continuation sequences and command substitution syntax within double quotes to fold malicious payloads into executable subcommands, effectively bypassing the intended command allowlist. This vulnerability enables privilege escalation and arbitrary code execution on affected systems.
OpenClaw before version 2026.3.2 contains a race condition vulnerability in its ZIP extraction functionality that allows local attackers with limited privileges to write arbitrary files outside the intended extraction directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) gap in src/infra/archive.ts where an attacker can rebind parent directory symlinks between path validation and file write operations, enabling directory traversal and potential code execution. A patch is available from the vendor, and this vulnerability requires local access with user-level privileges to exploit, making it a moderate-severity concern for systems where untrusted users can extract archives.
OpenClaw before version 2026.2.22 contains an allowlist bypass vulnerability in its system.run exec analysis functionality that fails to properly unwrap environment variable and shell-dispatch wrapper chains. Attackers with local access and limited privileges can exploit this to route command execution through wrapper binaries such as env or bash, allowing them to smuggle payloads past the intended allowlist restrictions. This vulnerability enables privilege escalation and integrity compromise on affected systems.
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn slash-command that allows authorized sandboxed users to initialize host-side ACP runtime and bypass sandbox restrictions. An attacker with low privileges and sandboxed chat access can invoke the vulnerable command to cross from isolated chat context into unrestricted host-side ACP session initialization when ACP is enabled, potentially escalating their capabilities beyond intended boundaries. The vulnerability has been assigned a CVSS score of 5.3 (medium severity) with a published patch available from the vendor.
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability that allows local attackers with limited privileges to execute arbitrary shell commands by circumventing security approval controls. The vulnerability exploits a depth-boundary mismatch between the approval classifier and execution planner, permitting exactly four transparent dispatch wrappers (such as repeated env invocations) to bypass the security=allowlist approval requirement. While not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the CVSS 4.5 score and publicly available patch indicate this is a real but lower-priority vulnerability with moderate real-world risk depending on deployment context.
OpenClaw fails to consistently apply sender-policy checks to reaction and pin event handlers, allowing authenticated attackers to bypass configured direct message policies and channel user allowlists by injecting unauthorized events from restricted senders. The vulnerability affects OpenClaw versions prior to 2026.2.25, requires low privileges (authenticated user), and enables unauthorized event injection with moderate severity (CVSS 4.3). A patch is available from the vendor, and the vulnerability has been documented in the VulnCheck advisory and GitHub Security Advisory GHSA-rm2p-j3r7-4x4j.
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP (Approval Control Panel) client that automatically approves tool calls based on untrusted metadata and overly permissive heuristics. An authenticated attacker with PR (privileges required) can bypass interactive approval prompts for read-class operations by spoofing toolCall.kind metadata or using non-core read-like function names to reach auto-approve execution paths. This vulnerability enables unauthorized information disclosure and modification without user interaction, and while not currently listed as actively exploited in KEV, proof-of-concept demonstrations are available via vendor security advisories.
OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.
OpenClaw versions prior to 2026.2.21 contain a passwordless fallback authentication bypass in the BlueBubbles webhook handler that allows attackers to send unauthenticated webhook events by exploiting loopback or reverse-proxy heuristics. The vulnerability affects the BlueBubbles plugin component and has a CVSS score of 4.8 (medium severity) with low attack complexity, enabling both confidentiality and integrity impact without requiring authentication or user interaction. A vendor patch is available, and the vulnerability is documented in public advisories from VulnCheck and GitHub Security.
OpenClaw versions prior to 2026.2.26 contain an authentication bypass vulnerability in their Slack system event handlers that fails to properly enforce sender authorization checks. Attackers with low-privilege access (PR:L in CVSS vector) can craft and send unauthorized system events through message_changed, message_deleted, and thread_broadcast event types to bypass Slack DM allowlists and per-channel user allowlists. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact; no KEV or active exploitation has been publicly disclosed, but a patch is available from the vendor.
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control mechanism for direct message pairing policies, allowing attackers to reuse pairing approvals across multiple accounts in multi-account deployments. An authenticated attacker (PR:L) who has been approved as a sender in one account can be automatically accepted in another account without explicit re-approval, effectively bypassing authorization boundaries between accounts. The vulnerability has a CVSS score of 3.7 with medium attack complexity and low confidentiality and integrity impacts; no active exploitation in the wild (KEV) or public proof-of-concept has been confirmed, but patches are available from the vendor.
OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in the system.run function where the rendered command text displayed to approvers has whitespace trimmed from argv tokens, but the actual runtime execution uses the raw, untrimmed argv. An attacker with the ability to influence command arguments and reuse an approval context can craft a trailing-space executable token to execute a different binary than what was approved, resulting in arbitrary command execution under the OpenClaw runtime user. The CVSS score of 4.8 reflects the requirement for local privileges and user interaction, though the integrity impact is marked as high due to the ability to execute unauthorized commands.
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, allowing any attacker with access to the host's loopback interface to view or interact with sandboxed browser sessions without credentials. All OpenClaw versions prior to 2026.2.21 are affected. This vulnerability has been publicly disclosed with patches available from the vendor, though no EPSS score, KEV status, or public POC references were provided in the intelligence data.
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness that allows attackers to reuse previously approved system.run execution requests with modified environment variables, bypassing approval-enabled workflow integrity controls. An attacker with access to an approval ID can exploit this vulnerability to execute commands with different environment settings than originally approved, effectively circumventing execution-integrity safeguards. The vulnerability requires local/network access and user interaction, resulting in a low CVSS score of 2.6, but represents a meaningful integrity violation in approval workflows where execution consistency is critical.
OpenClaw versions before 2026.2.25 allow authenticated attackers with node role permissions to bypass device pairing requirements in the Control UI by spoofing the control-ui client identifier, enabling unauthorized access to node event execution flows. Public exploit code exists for this authentication bypass vulnerability. The vulnerability requires prior authentication and has moderate integrity impact potential.
OpenClaw before version 2026.3.24 allows authenticated operator.write-scoped clients to escalate privileges and modify channel authorization policies normally restricted to operator.admin scope through improper scope re-validation in the /allowlist command. Attackers with write-level permissions can exploit the chat.send function to construct an internal command-authorized context and persist unauthorized changes to channel allowFrom and groupAllowFrom policies, effectively bypassing access control mechanisms.
OpenClaw before version 2026.3.24 fails to enforce authorization checks in the /send and /allowlist chat command handlers, allowing authenticated users with operator.write scope to bypass owner-only restrictions and modify session delivery policies and allowlist configurations. Attackers can persistently alter sendPolicy settings and add entries to allowlists without proper admin authorization, resulting in integrity and availability impacts within the affected session.
OpenClaw before version 2026.3.24 allows authenticated operators with only operator.approvals scope to enumerate sensitive gateway model metadata via the HTTP /v1/models endpoint, bypassing stricter WebSocket RPC authorization controls. Attackers with limited operator privileges can access information that should be restricted to higher-privilege read scopes, resulting in unauthorized information disclosure.
Server-side request forgery (SSRF) in OpenClaw's assertPublicHostname handler (src/agents/tools/web-fetch.ts) allows remote attackers to craft requests that bypass hostname validation and reach internal or restricted systems. Affected versions up to 2026.1.26 are vulnerable; the attack requires high complexity but publicly available exploit code exists. Vendor-released patch version 2026.1.29 (commit b623557a2ec7e271bda003eb3ac33fbb2e218505) resolves the issue.
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass pre-authentication rate limiting on webhook token validation, enabling brute-force attacks against weak webhook secrets through rapid successive requests. The vulnerability stems from absent throttling on invalid token rejection attempts, permitting attackers to enumerate valid tokens without login credentials or triggering defensive rate-limiting mechanisms.
OpenClaw before version 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that improperly uses a synthetic operator.admin runtime scope, allowing authenticated attackers to execute privileged operations with unintended administrative access by triggering session deletion without a request-scoped client. CVSS score of 6.1 reflects the requirement for low-level user authentication (PR:L) and network accessibility; patch availability is confirmed.
Credential exposure in OpenClaw gateway snapshots enables authenticated attackers with operator.read scope to extract embedded authentication tokens from channel configuration URLs. Attackers query config.get and channels.status API endpoints to retrieve gateway snapshots containing credentials in URL userinfo components of baseUrl and httpUrl fields. Affects OpenClaw versions prior to 2026.3.22. Authentication required (PR:L); no public exploit identified at time of analysis.
OpenClaw before version 2026.3.25 allows authenticated attackers to bypass authorization controls in mention-gated groups by triggering reaction events that circumvent the requireMention access control mechanism, enabling them to enqueue agent-visible system events that should remain restricted. This medium-severity vulnerability (CVSS 5.3) affects the integrity of group-based access policies and requires user interaction at the network level but leverages low privilege requirements.
OpenClaw before version 2026.3.25 processes JSON webhook request bodies before validating cryptographic signatures, allowing unauthenticated remote attackers to trigger denial of service by submitting malicious webhook payloads that force computationally expensive JSON parsing operations. The vulnerability exploits a logic-ordering defect where signature validation occurs after resource-intensive parsing, enabling attackers to exhaust server resources without valid credentials. No public exploit code has been identified at the time of analysis, though the attack requires only network access and is trivially exploitable.
Privilege escalation in OpenClaw before 2026.3.22 enables authenticated attackers with operator.pairing approver role to escalate privileges to operator.admin through insufficient scope validation in the device.pair.approve method. Exploitation allows approval of device requests with broader operator scopes than the approver legitimately holds, ultimately enabling remote code execution on Node infrastructure. Affects OpenClaw deployments where role-based access control enforces operator privilege hierarchies. No public exploit identified at time of analysis.
Privilege escalation in OpenClaw Control UI enables unauthenticated attackers to claim arbitrary privileged scopes without device identity verification. By exploiting the trusted-proxy mechanism's device-less allow path, attackers bypass authentication requirements and maintain elevated permissions across sessions. Affects OpenClaw versions prior to 2026.3.22. Attackers with low-privilege access can escalate to high-impact confidentiality and integrity compromise. No public exploit identified at time of analysis.
OpenClaw before version 2026.3.22 performs cite expansion before completing channel and direct message authorization checks, allowing unauthenticated remote attackers to access or manipulate content prior to authorization validation. This timing vulnerability exposes information disclosure and potential content tampering risks due to premature processing of cite operations that bypass security boundaries.
OpenClaw before version 2026.3.23 contains an authentication bypass in the Canvas gateway where the authorizeCanvasRequest() function unconditionally allows local-direct requests without validating bearer tokens or Canvas capabilities, enabling unauthenticated attackers on the local system to send loopback HTTP and WebSocket requests to bypass authentication and access Canvas routes. The vulnerability requires local network access but no prior authentication, affecting all versions prior to the patched release.
OpenClaw before version 2026.3.22 allows remote attackers to trigger denial of service through unbounded memory allocation in HTTP error handling for remote media endpoints. By sending specially crafted HTTP error responses with large bodies, unauthenticated attackers can exhaust application memory, causing availability degradation. The vulnerability requires only network access and no user interaction, making it a practical attack vector for service disruption.
OpenClaw through version 2026.2.22 allows authenticated local attackers to execute arbitrary code or manipulate system files via symlink traversal in the agents.create and agents.update handlers. The vulnerability stems from unsafe use of fs.appendFile on IDENTITY.md without validating symlink targets, permitting attackers with workspace access to plant symlinks pointing to sensitive files like crontab or SSH configuration directories and inject malicious content through the agent creation/update process.
Authorization bypass in OpenClaw versions prior to 2026.3.22 allows authenticated low-privilege users to execute administrative control-plane operations through internal ACP chat commands. The vulnerability stems from missing operator.admin scope enforcement on mutating commands, enabling unauthorized users to invoke privileged actions that modify system configuration or state. Exploitation requires authenticated access but no elevated privileges, permitting lateral privilege escalation to administrative functions. No public exploit identified at time of analysis.
Server-side request forgery (SSRF) in OpenClaw before version 2026.3.25 allows authenticated attackers to bypass configured endpoint protections through unguarded fetch() calls in channel extensions, enabling rebinding of requests to internal resources and potential unauthorized access to restricted services. The vulnerability affects multiple channel extensions that fail to properly validate or restrict base URL usage, with a CVSS score of 5.3 reflecting moderate risk due to required authentication and limited initial impact scope.
OpenClaw before version 2026.3.25 lacks rate limiting on Telegram webhook authentication, enabling unauthenticated remote attackers to brute-force weak webhook secrets through repeated guesses without throttling. This vulnerability permits systematic credential enumeration, potentially allowing attackers to forge webhook messages and intercept or manipulate Telegram-based communications processed by affected OpenClaw deployments. No public exploit code or active exploitation has been confirmed at this time.
OpenClaw before 2026.3.22 processes cryptographic operations on inbound Nostr direct messages prior to validating sender identity and pairing status, allowing unauthenticated remote attackers to trigger denial of service through resource exhaustion by sending crafted messages. CVSS 6.9 reflects moderate impact with low integrity and availability degradation; no public exploit code or active exploitation has been confirmed.
Unauthenticated resource exhaustion in OpenClaw before 2026.3.22 allows remote attackers to cause denial of service by sending large or malicious webhook requests to the voice call handler, which buffers request bodies before validating provider signatures. The vulnerability requires only network access (AV:N, PR:N) and can be exploited with low complexity, making it a practical attack vector for disrupting service availability.
Privilege escalation in OpenClaw (versions prior to 2026.3.25) enables authenticated local attackers to silently elevate permissions from operator.read to operator.admin during shared-auth reconnection events, achieving remote code execution on affected nodes. The vulnerability exploits auto-approval of scope-upgrade requests in local reconnection flows, requiring low-privilege local access (PR:L) with no user interaction. No public exploit identified at time of analysis. Vendor-released patch available via commit 81ebc7e0344fd19c85778e883bad45e2da972229.
OpenClaw before version 2026.3.22 uses room names instead of stable tokens for Nextcloud Talk room authorization, allowing authenticated attackers to bypass allowlist policies by creating similarly named rooms and gaining unauthorized access to protected conversations. The vulnerability requires low privileges and high attack complexity but poses a direct confidentiality and integrity risk to room access controls. No public exploit code or active exploitation has been reported.
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to brute-force webhook authentication credentials due to missing rate limiting on password validation attempts. The vulnerability enables attackers to perform repeated authentication guesses against the webhook endpoint without throttling, potentially compromising webhook security and gaining unauthorized access to webhook functionality.
OpenClaw's Plivo V2 signature verification implementation allows remote attackers to bypass replay protection and forge authenticated requests by manipulating URL query parameters. The flaw affects OpenClaw versions before 2026.3.23 and stems from deriving replay protection keys from the full URL including query strings rather than the canonical base URL, enabling attackers to create new valid request signatures by modifying only query parameters on previously signed requests. With 8% EPSS percentile and high attack complexity (AC:H), this represents moderate real-world risk despite the 8.3 CVSS score. Public proof-of-concept commits demonstrate the vulnerability, though no active exploitation is confirmed.
Authorization bypass in OpenClaw versions prior to 2026.3.25 enables authenticated users to terminate arbitrary subagent sessions through the /sessions/:sessionKey/kill HTTP endpoint. Exploiting CWE-863 improper authorization, low-privilege authenticated attackers execute admin-level killSubagentRunAdmin functions without ownership or operator scope validation, achieving high integrity and availability impact on targeted sessions. No public exploit identified at time of analysis.
OpenClaw before version 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in Gemini OAuth flows, exposing cryptographic material through the redirect URL and enabling attackers who capture the URL to obtain both the authorization code and PKCE verifier, defeating PKCE protection and allowing unauthorized token redemption. The vulnerability requires user interaction (redirect capture) but has high confidentiality impact affecting OAuth security mechanisms; it is an information disclosure flaw in the OAuth implementation itself rather than a remote code execution threat.
OpenClaw prior to commit b57b680 allows authenticated users to bypass the approval system by exploiting inconsistent environment variable normalization between approval validation and execution paths. An attacker with low privileges can inject non-portable environment variable keys that are filtered during operator review but accepted at runtime, potentially enabling execution of attacker-controlled binaries. This vulnerability has a CVSS score of 6.9 (medium-high impact) and requires user interaction but affects the integrity of the approval workflow.
OpenClaw versions prior to commit 8aceaf5 allow authenticated remote attackers to bypass shell-bleed protection validation by crafting complex command forms such as piped execution, command substitution, or subshell invocation, enabling execution of arbitrary script content that should be blocked. The vulnerability affects the validateScriptFileForShellBleed() parser, which fails to recognize obfuscated command structures; no public exploit code has been identified at time of analysis, though a vendor patch is available.
Server-side request forgery in OpenClaw before 2026.3.28 allows unauthenticated remote attackers to fetch internal URLs through unguarded image download operations in the fal provider image-generation-provider.ts component, enabling exposure of internal service metadata and responses via the image pipeline. CVSS 5.3 indicates moderate integrity impact without authentication requirements. No public exploit code or active exploitation confirmed at time of analysis.
WebSocket session fixation in OpenClaw before version 2026.3.28 enables attackers to maintain unauthorized access after credential revocation. The vulnerability permits unauthenticated remote attackers (CVSS PR:N) to exploit persistent WebSocket connections that fail to terminate when device tokens are revoked, resulting in high confidentiality impact. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity. EPSS data not available; affects OpenClaw deployments with WebSocket-based device communication.
OpenClaw before version 2026.3.24 contains a sandbox bypass vulnerability in its message tool that allows local attackers to read arbitrary files by manipulating mediaUrl and fileUrl alias parameters to circumvent localRoots validation. The vulnerability exploits improper input sanitization in file request routing, enabling unauthorized disclosure of sensitive files outside the intended sandbox directory without requiring authentication or user interaction.
Brute-force attacks against OpenClaw webhook authentication allow unauthenticated remote attackers to forge Nextcloud Talk webhook events by exploiting missing rate limiting on shared secret validation. Affecting OpenClaw versions prior to 2026.3.28, attackers can repeatedly attempt authentication without throttling to compromise weak shared secrets and inject malicious webhook payloads. CVSS 9.8 critical severity reflects network-accessible attack surface requiring no authentication. No public exploit identified at time of analysis, though EPSS data not available. Vendor-released patch available via commit e403decb6e20091b5402780a7ccd2085f98aa3cd.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access by exploiting missing scope validation in the device pairing approval workflow. The /pair approve command fails to forward caller scopes during approval checks, enabling attackers with basic pairing privileges-or potentially no privileges given the CVSS PR:N vector-to approve device requests with elevated admin scopes. EPSS data not available; no public exploit identified at time of analysis, though the CVSS 9.8 reflects trivial exploitation due to network accessibility, low complexity, and no authentication barrier. Vendor-released patch: commit e403dec (2026.3.28+).
Privilege escalation in OpenClaw versions prior to 2026.3.28 enables unauthenticated remote attackers to approve node pairings with unauthorized elevated scopes, bypassing authorization controls through missing callerScopes validation in the node pairing approval mechanism. This vulnerability (CWE-863: Incorrect Authorization) allows attackers to extend privileges onto paired nodes beyond their intended authorization level. CVSS 9.8 Critical with network-accessible attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis, with EPSS data not available for this recent CVE.
Unauthenticated attackers can force OpenClaw versions before 2026.3.28 to download and store arbitrary media files through Zalo messaging channels, bypassing sender authorization checks. The flaw allows remote exploitation without authentication (CVSS 9.8 critical) to consume network bandwidth and storage resources. No public exploit identified at time of analysis, though the attack vector is straightforward given the lack of pre-validation authorization checks. Vendor-released patch available via commit 68ceaf7a5.
OpenClaw before version 2026.3.12 allows authenticated attackers to bypass rate limiting on webhook secret validation by exploiting a logic flaw that applies rate limits only after successful authentication, enabling brute-force attacks against webhook credentials and injection of forged Zalo webhook traffic. The vulnerability requires authenticated access but results in high-confidence credential compromise.
Webhook secret brute-forcing in OpenClaw before 2026.3.12 enables attackers to forge authenticated webhooks by exploiting pre-authentication rate limit bypass. Unauthenticated remote attackers can systematically guess webhook secrets without triggering rate limiting (which only applies post-authentication), then submit forged webhook payloads to compromise system integrity and confidentiality. CVSS 9.8 (Critical) with network attack vector and no authentication required. No public exploit identified at time of analysis, though exploitation requires only standard HTTP tooling. EPSS data not available; exploitation appears automatable given the straightforward nature of brute-force attacks against webhook endpoints.
Sandbox escape in OpenClaw (before version 2026.3.11) allows local authenticated users to write arbitrary files outside validated directories via a TOCTOU race condition during staged file writes. The fs-bridge component fails to anchor temporary file operations to verified parent directories, enabling attackers to manipulate path aliases between validation and execution phases. CVSS 7.5 (High) reflects the local attack vector with high complexity, but scope change (S:C) indicates potential container/sandbox breakout. No public exploit identified at time of analysis, though the race condition vulnerability class (CWE-367) is well-understood by attackers.
Telegram bot token exposure in OpenClaw's media download error handling allows unauthenticated remote attackers to harvest sensitive API credentials through information disclosure. Versions prior to 2026.3.13 embed complete Telegram file URLs containing bot tokens in MediaFetchError exceptions, leaking credentials to application logs and error surfaces. With EPSS data unavailable and no CISA KEV listing, no public exploit identified at time of analysis, though the vulnerability requires minimal technical sophistication to exploit given the network-accessible attack vector and low complexity (CVSS:3.1/AV:N/AC:L/PR:N).
OpenClaw before 2026.3.11 allows authenticated local attackers to bypass sandbox boundaries and write files outside validated paths via a time-of-check-time-of-use race condition in the fs-bridge writeFile commit operation. An attacker with local access and sufficient privileges can exploit unanchored container paths during file move operations to redirect committed files outside the sandbox, achieving arbitrary file write capabilities within the container mount namespace. No public exploit code or active exploitation has been confirmed.
OpenClaw before version 2026.3.11 allows authenticated users to bypass authorization restrictions and modify protected configuration on sibling accounts through channel commands, despite configWrites: false restrictions. An attacker with legitimate access to one account can execute /config set commands targeting another account's channel provider configuration, achieving unauthorized modification of settings across account boundaries. This vulnerability is neither actively exploited nor known to have public proof-of-concept code available.
Command substitution in OpenClaw's node-host approval system allows authenticated attackers with low privileges to execute arbitrary local code by deceiving operators through mismatched approval displays. The system shows extracted shell payloads during approval but executes different argv commands, enabling wrapper-binary attacks where approved commands differ from executed commands. Authentication is required (PR:L) with high attack complexity (AC:H) and user interaction (UI:R). No public exploit identified at time of analysis, though the vulnerability class (CWE-451: UI Misrepresentation of Critical Information) indicates the technical mechanism is well-understood.
OpenClaw before version 2026.3.11 allows local authenticated users to bypass local authentication boundaries through a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are incorrectly treated as unset, enabling fallback to remote credentials in local-only mode. The vulnerability requires local access and specific misconfiguration of auth references but can result in information disclosure if an attacker selects incorrect credential sources via CLI and helper paths. No public exploit code or active exploitation has been identified.
OpenClaw before 2026.3.8 allows authenticated remote attackers to bypass approval controls in the system.run function by obtaining approval for a script, modifying the approved script file before execution, and executing malicious content while preserving the approved command structure. This approval-execution window vulnerability enables privilege escalation and code execution with low complexity and no user interaction required. No public exploit code or active exploitation has been confirmed at the time of analysis.
Remote code execution in OpenClaw (versions prior to 2026.3.12) enables attackers to execute arbitrary malicious code when users open compromised repositories. The vulnerability stems from automatic plugin loading from .OpenClaw/extensions/ directories without trust verification, allowing attackers to embed malicious workspace plugins in cloned Git repositories. CVSS 9.8 (Critical) reflects network-based exploitation requiring no authentication or user interaction. No public exploit identified at time of analysis, though the attack mechanism is straightforward for social engineering scenarios targeting developers.
Remote command injection in OpenClaw's iMessage attachment staging mechanism (versions prior to 2026.3.13) allows unauthenticated network attackers to execute arbitrary commands on configured remote hosts via malicious attachment paths. The critical flaw stems from unsanitized shell metacharacters passed directly to SCP operations, achieving full system compromise (CVSS 9.8) when remote attachment staging is enabled. EPSS data and KEV status not provided; publicly available exploit code exists (GitHub commit demonstrates the fix, implying POC-level understanding in security community).
Authorization bypass in OpenClaw 2026.3.7 through 2026.3.10 enables remote unauthenticated attackers to execute privileged gateway operations through plugin subagent routes. The vulnerability exploits synthetic operator clients with excessive administrative scopes, allowing attackers to delete sessions and execute agent commands without authentication. CVSS 7.7 (High) with network attack vector but high complexity (AC:H). No public exploit identified at time of analysis, though technical details are available via GitHub security advisory and VulnCheck analysis.
Credential exposure in OpenClaw gateway pairing mechanism allows remote attackers to extract and reuse long-lived shared gateway credentials embedded in pairing setup codes. Attackers who obtain QR codes or pairing tokens from chat logs, screenshots, or system logs can recover persistent gateway credentials intended for one-time use, enabling unauthorized gateway access without authentication. EPSS data not available; no public exploit identified at time of analysis. Affects OpenClaw versions prior to 2026.3.12.
OpenClaw before version 2026.3.8 allows local authenticated attackers to write files outside the intended tools directory through a time-of-check-time-of-use (TOCTOU) path traversal vulnerability in the skills download installer. An attacker with local access and low privileges can rebind the tools-root symbolic link or path between the initial validation check and the final archive extraction, causing the installer to write malicious files to arbitrary locations on the system. While the attack requires local access and moderate effort (high complexity), successful exploitation grants the attacker arbitrary file write capability with potential impact on system integrity and availability.
Authorization bypass in OpenClaw gateway agent RPC enables authenticated operators with operator.write permission to escape workspace boundaries and execute arbitrary operations outside designated directories. Attackers supply malicious spawnedBy and workspaceDir parameters to perform file and exec operations from any process-accessible location. CVSS 8.7 reflects high confidentiality, integrity, and availability impact with network attack vector and low complexity. No public exploit identified at time of analysis, though EPSS data unavailable. VulnCheck identified this as an information disclosure vector affecting OpenClaw versions prior to 2026.3.11.
OpenClaw before 2026.2.17 stores session transcript JSONL files with overly permissive default file permissions, enabling local authenticated users to read transcript contents and extract sensitive information including secrets from tool output. The vulnerability requires local access and authenticated status on the system, affecting confidentiality of cached session data. No public exploit code or active exploitation has been confirmed, though the attack surface is high given the local nature and ease of file access.
Bootstrap setup code replay in OpenClaw before 2026.3.13 enables unauthenticated remote attackers to escalate privileges to operator.admin during device pairing. The vulnerability (CWE-294: Capture-replay) in src/infra/device-bootstrap.ts permits multiple verification attempts of valid bootstrap codes before approval, allowing escalation of pending pairing scopes. CVSS 9.3 (Critical) reflects network-accessible attack with low complexity and no user interaction required. EPSS data unavailable; no public exploit identified at time of analysis. Vendor-released patch available via GitHub commit 1803d16d.
Resource exhaustion in OpenClaw webhook endpoint allows remote attackers to consume server memory and processing resources via unauthenticated Telegram webhook POST requests. OpenClaw versions prior to 2026.3.13 process and buffer entire request bodies before validating authentication tokens, enabling denial-of-service attacks with no authentication required. CVSS 8.7 (High) reflects network-accessible, low-complexity attack with high availability impact. No public exploit identified at time of analysis, though the attack technique is straightforward given the architectural flaw.
Time-of-check-time-of-use (TOCTOU) race condition in OpenClaw runtime (<2026.3.11) allows local authenticated attackers with low privileges to execute arbitrary code by modifying approved scripts between authorization and execution phases. The vulnerability (CWE-367) enables privilege escalation to the OpenClaw runtime user context, requiring user interaction but trivial attack complexity. No public exploit identified at time of analysis, though EPSS data unavailable and CVE not present in CISA KEV catalog.
Approval bypass in OpenClaw before 2026.3.11 allows low-privileged remote attackers to execute arbitrary code by exploiting race conditions in system.run approvals. Attackers obtain legitimate approval for benign scripts, then overwrite referenced files before execution via vulnerable tsx/jiti runners. With CVSS 9.4 (critical severity, network-accessible, low complexity) and EPSS data not yet available for this 2026 CVE, organizations using OpenClaw's script execution features face immediate risk despite requiring user interaction and low-level authentication. No public exploit identified at time of analysis, though the approval bypass mechanism is documented in vendor advisory GHSA-qc36-x95h-7j53.
OpenClaw before version 2026.3.12 allows authentication bypass in Zalouser allowlist mode by matching mutable group display names instead of stable identifiers, enabling attackers to create identically-named groups and route messages from unauthorized groups to the agent. The vulnerability requires network access and no authentication, affecting the confidentiality and integrity of message routing with a CVSS score of 6.9. No public exploit code has been identified at time of analysis.
Execution allowlist bypass in OpenClaw (versions prior to 2026.3.11) enables unauthenticated remote attackers to execute arbitrary commands by exploiting improper pattern normalization in matchesExecAllowlistPattern. The vulnerability stems from lowercasing and overly permissive glob matching logic that incorrectly allows the ? wildcard to match across POSIX path segments, circumventing intended security restrictions. No public exploit identified at time of analysis, though CVSS 8.8 severity reflects network-accessible attack vector with no authentication required and high integrity/availability impact.
Privilege escalation in OpenClaw versions prior to 2026.3.11 allows authenticated users with operator.write permissions to execute administrative browser profile management functions, bypassing role-based access controls. Attackers can persist malicious remote Chrome DevTools Protocol (CDP) endpoints to disk, enabling potential remote code execution or session hijacking without operator.admin privileges. EPSS data not available; no public exploit identified at time of analysis. CVSS 7.1 (High) reflects network-accessible attack requiring only low-privileged authentication.
OpenClaw before version 2026.3.12 permits authorization bypass in Feishu reaction event handling when chat_type parameters are omitted, causing group chat events to be misclassified as peer-to-peer conversations and allowing attackers to circumvent groupAllowFrom and requireMention security controls. Unauthenticated remote attackers can exploit this with low complexity to achieve partial confidentiality and integrity impacts. No public exploit code has been identified, but the vulnerability is straightforward to trigger once the root cause is understood.
OpenClaw before version 2026.3.11 allows authenticated non-allowlisted Discord guild members to bypass authorization checks on reaction ingestion events, enabling them to inject arbitrary reaction text into downstream session context that is trusted as legitimate system events. This authentication-required authorization bypass affects all OpenClaw deployments integrating Discord guild reaction handling and has a CVSS score of 5.3 with confirmed patch availability.
Privilege escalation in OpenClaw device token rotation (versions before 2026.3.11) enables authenticated attackers with operator.pairing scope to mint tokens with arbitrary elevated scopes, including operator.admin privileges. This scope validation bypass permits remote code execution on connected nodes via system.run API and unauthorized gateway-admin access. CVSS 9.4 (Critical) with network attack vector and low complexity. EPSS and KEV data not provided; no public exploit identified at time of analysis, though technical details disclosed via GitHub security advisory increase exploitation risk.
OpenClaw before version 2026.3.11 allows authenticated operators with write-scoped permissions to bypass authorization controls and execute admin-only session reset functionality. Attackers holding operator.write privileges can issue agent requests containing /new or /reset slash commands to reset conversation state without requiring operator.admin credentials, resulting in unauthorized modification of session data. This vulnerability has a CVSS score of 6.9 and affects the core authorization logic that protects sensitive administrative operations.
Session sandbox escape in OpenClaw versions prior to 2026.3.11 allows local authenticated attackers with low-privilege sandboxed subagent access to read and modify session data across isolation boundaries by manipulating sessionKey parameters in the session_status tool. Exploitation enables unauthorized access to parent or sibling session state including persisted model overrides, bypassing critical security isolation controls. No public exploit identified at time of analysis, though the authentication bypass mechanism is clearly documented in vendor security advisory.
Sandbox escape in OpenClaw versions before 2026.3.11 enables low-privilege leaf subagents to bypass isolation boundaries and manipulate sibling processes with elevated tool policies. Local authenticated attackers can terminate competing worker threads, redirect execution flows, and execute operations outside their intended security context by exploiting insufficient authorization on subagent control APIs. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though the technical advisory provides detailed vulnerability mechanics.
Privilege escalation in OpenClaw versions before 2026.3.12 allows authenticated users with command authorization to access owner-restricted configuration and debug endpoints due to missing permission checks. Attackers can read and modify privileged settings intended only for owners, effectively bypassing role-based access controls. CVSS 8.7 (High) with EPSS data unavailable; no public exploit identified at time of analysis, though the vulnerability class (CWE-863: incorrect authorization) is commonly targeted once disclosed.
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files including system configurations, environment files, and SSH private keys by bypassing media parsing validation functions. The vulnerability stems from incomplete path validation in isLikelyLocalPath() and isValidMedia() functions, with an allowBareFilename bypass permitting sandbox escape. Vendor-released patch available in commit 4797bbc (CVSS 8.7, no public exploit identified at time of analysis).
OpenClaw versions prior to 2026.3.7 contain a critical header validation flaw in the fetchWithSsrFGuard function that leaks sensitive authorization headers (including X-Api-Key and Private-Token) across cross-origin redirects. An attacker can exploit this remotely without authentication by triggering HTTP redirects to attacker-controlled domains, intercepting credentials intended for legitimate services. With a CVSS score of 9.3 and network-accessible attack vector requiring low complexity, this represents a significant information disclosure risk, though no active exploitation (KEV) or public POC has been reported at this time.
OpenClaw versions prior to 2026.3.1 contain an approval bypass vulnerability in the system.run function that allows attackers to execute a different binary than the one approved by an operator. The vulnerability stems from non-path-like argv[0] tokens failing to bind to executable identity, enabling post-approval PATH manipulation to redirect execution to attacker-controlled binaries. With a CVSS score of 7.3 and requiring local access with low privileges and user interaction, this represents a significant privilege escalation and integrity bypass risk in environments using OpenClaw's execution approval mechanisms.
OpenClaw before version 2026.2.19 contains a command injection vulnerability in the tools.exec.safeBins function that allows local attackers with limited privileges to bypass stdin-only execution restrictions through specially crafted sort output flags (sort -o) or recursive grep flags (grep -R). An authenticated attacker can exploit this to perform arbitrary file writes or reads, circumventing the intended safe-bin execution model that restricts command capabilities. A patch is available from the vendor, and this vulnerability has been documented by VulnCheck with supporting technical details.
OpenClaw before version 2026.2.26 contains an authorization bypass vulnerability in group allowlist policy evaluation that improperly accepts sender identities from DM pairing-store approvals. Attackers with low privileges can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized access to restricted groups. The vulnerability carries a moderate CVSS score of 4.6 with user interaction required, and patches are available from the vendor.
OpenClaw before version 2026.3.2 contains a symlink traversal vulnerability in the stageSandboxMedia function that allows local attackers with limited privileges to overwrite arbitrary files outside the intended sandbox workspace. By exploiting unvalidated destination paths in media/inbound write operations, an attacker can follow symlinks to modify host files beyond sandbox boundaries, resulting in integrity compromise and potential system availability impact. A patch is available from the vendor.
OpenClaw contains a server-side request forgery (SSRF) vulnerability in its web search citation redirect resolution mechanism that allows unauthenticated remote attackers to trigger requests to internal network destinations from the OpenClaw gateway host. OpenClaw versions prior to 2026.3.1 are affected. Attackers who can influence citation redirect targets can exploit this to access private network resources, with a CVSS score of 8.3 indicating high severity with low complexity and no privileges required.
OpenClaw before version 2026.3.2 contains a semantic drift vulnerability in the node system.run approval hardening mechanism that allows attackers to manipulate wrapper command arguments (argv) to execute unintended local scripts. An attacker with local access, low privileges, and the ability to influence wrapper argv and place malicious files in the approved working directory can achieve arbitrary script execution by exploiting argv rewriting that bypasses the intended approved command enforcement. A patch is available from the vendor, and this vulnerability affects all OpenClaw versions prior to 2026.3.2.
OpenClaw before version 2026.2.22 contains an authorization bypass vulnerability in allowlist mode that allows attackers with high privileges to approve benign wrapped system.run commands and subsequently execute arbitrary commands without requiring additional approval on gateway and node-host execution flows. This vulnerability exploits allow-always persistence at the wrapper level to broaden trust boundaries beyond the initial approval scope. The vulnerability has a CVSS score of 6.4 with high impact on confidentiality, integrity, and availability, though exploitation requires high privilege level and user interaction.
OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that enables unauthenticated remote attackers to exhaust server memory by sending repeated HTTP requests with varying query string parameters. This affects OpenClaw versions prior to 2026.3.1. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and lack of authentication requirements, though no evidence of active exploitation (KEV) or public proof-of-concept has been identified at this time.
OpenClaw before version 2026.2.22 contains a critical allowlist bypass vulnerability in the system.run function that allows authenticated local attackers to execute arbitrary commands by circumventing security controls. An attacker with local access and low privileges can inject shell line-continuation sequences and command substitution syntax within double quotes to fold malicious payloads into executable subcommands, effectively bypassing the intended command allowlist. This vulnerability enables privilege escalation and arbitrary code execution on affected systems.
OpenClaw before version 2026.3.2 contains a race condition vulnerability in its ZIP extraction functionality that allows local attackers with limited privileges to write arbitrary files outside the intended extraction directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) gap in src/infra/archive.ts where an attacker can rebind parent directory symlinks between path validation and file write operations, enabling directory traversal and potential code execution. A patch is available from the vendor, and this vulnerability requires local access with user-level privileges to exploit, making it a moderate-severity concern for systems where untrusted users can extract archives.
OpenClaw before version 2026.2.22 contains an allowlist bypass vulnerability in its system.run exec analysis functionality that fails to properly unwrap environment variable and shell-dispatch wrapper chains. Attackers with local access and limited privileges can exploit this to route command execution through wrapper binaries such as env or bash, allowing them to smuggle payloads past the intended allowlist restrictions. This vulnerability enables privilege escalation and integrity compromise on affected systems.
OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn slash-command that allows authorized sandboxed users to initialize host-side ACP runtime and bypass sandbox restrictions. An attacker with low privileges and sandboxed chat access can invoke the vulnerable command to cross from isolated chat context into unrestricted host-side ACP session initialization when ACP is enabled, potentially escalating their capabilities beyond intended boundaries. The vulnerability has been assigned a CVSS score of 5.3 (medium severity) with a published patch available from the vendor.
OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability that allows local attackers with limited privileges to execute arbitrary shell commands by circumventing security approval controls. The vulnerability exploits a depth-boundary mismatch between the approval classifier and execution planner, permitting exactly four transparent dispatch wrappers (such as repeated env invocations) to bypass the security=allowlist approval requirement. While not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the CVSS 4.5 score and publicly available patch indicate this is a real but lower-priority vulnerability with moderate real-world risk depending on deployment context.
OpenClaw fails to consistently apply sender-policy checks to reaction and pin event handlers, allowing authenticated attackers to bypass configured direct message policies and channel user allowlists by injecting unauthorized events from restricted senders. The vulnerability affects OpenClaw versions prior to 2026.2.25, requires low privileges (authenticated user), and enables unauthorized event injection with moderate severity (CVSS 4.3). A patch is available from the vendor, and the vulnerability has been documented in the VulnCheck advisory and GitHub Security Advisory GHSA-rm2p-j3r7-4x4j.
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP (Approval Control Panel) client that automatically approves tool calls based on untrusted metadata and overly permissive heuristics. An authenticated attacker with PR (privileges required) can bypass interactive approval prompts for read-class operations by spoofing toolCall.kind metadata or using non-core read-like function names to reach auto-approve execution paths. This vulnerability enables unauthorized information disclosure and modification without user interaction, and while not currently listed as actively exploited in KEV, proof-of-concept demonstrations are available via vendor security advisories.
OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.
OpenClaw versions prior to 2026.2.21 contain a passwordless fallback authentication bypass in the BlueBubbles webhook handler that allows attackers to send unauthenticated webhook events by exploiting loopback or reverse-proxy heuristics. The vulnerability affects the BlueBubbles plugin component and has a CVSS score of 4.8 (medium severity) with low attack complexity, enabling both confidentiality and integrity impact without requiring authentication or user interaction. A vendor patch is available, and the vulnerability is documented in public advisories from VulnCheck and GitHub Security.
OpenClaw versions prior to 2026.2.26 contain an authentication bypass vulnerability in their Slack system event handlers that fails to properly enforce sender authorization checks. Attackers with low-privilege access (PR:L in CVSS vector) can craft and send unauthorized system events through message_changed, message_deleted, and thread_broadcast event types to bypass Slack DM allowlists and per-channel user allowlists. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact; no KEV or active exploitation has been publicly disclosed, but a patch is available from the vendor.
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control mechanism for direct message pairing policies, allowing attackers to reuse pairing approvals across multiple accounts in multi-account deployments. An authenticated attacker (PR:L) who has been approved as a sender in one account can be automatically accepted in another account without explicit re-approval, effectively bypassing authorization boundaries between accounts. The vulnerability has a CVSS score of 3.7 with medium attack complexity and low confidentiality and integrity impacts; no active exploitation in the wild (KEV) or public proof-of-concept has been confirmed, but patches are available from the vendor.
OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in the system.run function where the rendered command text displayed to approvers has whitespace trimmed from argv tokens, but the actual runtime execution uses the raw, untrimmed argv. An attacker with the ability to influence command arguments and reuse an approval context can craft a trailing-space executable token to execute a different binary than what was approved, resulting in arbitrary command execution under the OpenClaw runtime user. The CVSS score of 4.8 reflects the requirement for local privileges and user interaction, though the integrity impact is marked as high due to the ability to execute unauthorized commands.
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, allowing any attacker with access to the host's loopback interface to view or interact with sandboxed browser sessions without credentials. All OpenClaw versions prior to 2026.2.21 are affected. This vulnerability has been publicly disclosed with patches available from the vendor, though no EPSS score, KEV status, or public POC references were provided in the intelligence data.
OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness that allows attackers to reuse previously approved system.run execution requests with modified environment variables, bypassing approval-enabled workflow integrity controls. An attacker with access to an approval ID can exploit this vulnerability to execute commands with different environment settings than originally approved, effectively circumventing execution-integrity safeguards. The vulnerability requires local/network access and user interaction, resulting in a low CVSS score of 2.6, but represents a meaningful integrity violation in approval workflows where execution consistency is critical.
OpenClaw versions before 2026.2.25 allow authenticated attackers with node role permissions to bypass device pairing requirements in the Control UI by spoofing the control-ui client identifier, enabling unauthorized access to node event execution flows. Public exploit code exists for this authentication bypass vulnerability. The vulnerability requires prior authentication and has moderate integrity impact potential.