Skip to main content

Openclaw

551 CVEs product

Monthly

CVE-2026-32846 npm HIGH POC PATCH GHSA This Week

Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files including system configurations, environment files, and SSH private keys by bypassing media parsing validation functions. The vulnerability stems from incomplete path validation in isLikelyLocalPath() and isValidMedia() functions, with an allowBareFilename bypass permitting sandbox escape. Vendor-released patch available in commit 4797bbc (CVSS 8.7, no public exploit identified at time of analysis).

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-32913 npm CRITICAL PATCH GHSA Act Now

OpenClaw versions prior to 2026.3.7 contain a critical header validation flaw in the fetchWithSsrFGuard function that leaks sensitive authorization headers (including X-Api-Key and Private-Token) across cross-origin redirects. An attacker can exploit this remotely without authentication by triggering HTTP redirects to attacker-controlled domains, intercepting credentials intended for legitimate services. With a CVSS score of 9.3 and network-accessible attack vector requiring low complexity, this represents a significant information disclosure risk, though no active exploitation (KEV) or public POC has been reported at this time.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-32910 HIGH PATCH This Week

OpenClaw versions prior to 2026.3.1 contain an approval bypass vulnerability in the system.run function that allows attackers to execute a different binary than the one approved by an operator. The vulnerability stems from non-path-like argv[0] tokens failing to bind to executable identity, enabling post-approval PATH manipulation to redirect execution to attacker-controlled binaries. With a CVSS score of 7.3 and requiring local access with low privileges and user interaction, this represents a significant privilege escalation and integrity bypass risk in environments using OpenClaw's execution approval mechanisms.

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
7.3
CVE-2026-32909 LOW PATCH Monitor

OpenClaw before version 2026.2.19 contains a command injection vulnerability in the tools.exec.safeBins function that allows local attackers with limited privileges to bypass stdin-only execution restrictions through specially crafted sort output flags (sort -o) or recursive grep flags (grep -R). An authenticated attacker can exploit this to perform arbitrary file writes or reads, circumventing the intended safe-bin execution model that restricts command capabilities. A patch is available from the vendor, and this vulnerability has been documented by VulnCheck with supporting technical details.

Command Injection Openclaw
NVD GitHub
CVSS 3.1
3.6
CVE-2026-32904 MEDIUM PATCH This Month

OpenClaw before version 2026.2.26 contains an authorization bypass vulnerability in group allowlist policy evaluation that improperly accepts sender identities from DM pairing-store approvals. Attackers with low privileges can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized access to restricted groups. The vulnerability carries a moderate CVSS score of 4.6 with user interaction required, and patches are available from the vendor.

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
4.6
CVE-2026-32903 MEDIUM PATCH This Month

OpenClaw before version 2026.3.2 contains a symlink traversal vulnerability in the stageSandboxMedia function that allows local attackers with limited privileges to overwrite arbitrary files outside the intended sandbox workspace. By exploiting unvalidated destination paths in media/inbound write operations, an attacker can follow symlinks to modify host files beyond sandbox boundaries, resulting in integrity compromise and potential system availability impact. A patch is available from the vendor.

Information Disclosure Openclaw
NVD GitHub
CVSS 3.1
6.1
CVE-2026-32902 HIGH PATCH This Week

OpenClaw contains a server-side request forgery (SSRF) vulnerability in its web search citation redirect resolution mechanism that allows unauthenticated remote attackers to trigger requests to internal network destinations from the OpenClaw gateway host. OpenClaw versions prior to 2026.3.1 are affected. Attackers who can influence citation redirect targets can exploit this to access private network resources, with a CVSS score of 8.3 indicating high severity with low complexity and no privileges required.

SSRF Openclaw
NVD GitHub
CVSS 3.1
8.3
CVE-2026-32901 MEDIUM PATCH This Month

OpenClaw before version 2026.3.2 contains a semantic drift vulnerability in the node system.run approval hardening mechanism that allows attackers to manipulate wrapper command arguments (argv) to execute unintended local scripts. An attacker with local access, low privileges, and the ability to influence wrapper argv and place malicious files in the approved working directory can achieve arbitrary script execution by exploiting argv rewriting that bypasses the intended approved command enforcement. A patch is available from the vendor, and this vulnerability affects all OpenClaw versions prior to 2026.3.2.

Information Disclosure Openclaw
NVD GitHub
CVSS 3.1
6.7
CVE-2026-32900 MEDIUM PATCH This Month

OpenClaw before version 2026.2.22 contains an authorization bypass vulnerability in allowlist mode that allows attackers with high privileges to approve benign wrapped system.run commands and subsequently execute arbitrary commands without requiring additional approval on gateway and node-host execution flows. This vulnerability exploits allow-always persistence at the wrapper level to broaden trust boundaries beyond the initial approval scope. The vulnerability has a CVSS score of 6.4 with high impact on confidentiality, integrity, and availability, though exploitation requires high privilege level and user interaction.

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
6.4
CVE-2026-32066 npm HIGH PATCH This Week

OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that enables unauthenticated remote attackers to exhaust server memory by sending repeated HTTP requests with varying query string parameters. This affects OpenClaw versions prior to 2026.3.1. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and lack of authentication requirements, though no evidence of active exploitation (KEV) or public proof-of-concept has been identified at this time.

Denial Of Service Openclaw
NVD GitHub
CVSS 3.1
7.5
CVE-2026-32047 MEDIUM PATCH This Month

OpenClaw before version 2026.2.22 contains a critical allowlist bypass vulnerability in the system.run function that allows authenticated local attackers to execute arbitrary commands by circumventing security controls. An attacker with local access and low privileges can inject shell line-continuation sequences and command substitution syntax within double quotes to fold malicious payloads into executable subcommands, effectively bypassing the intended command allowlist. This vulnerability enables privilege escalation and arbitrary code execution on affected systems.

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
5.8
CVE-2026-28483 npm MEDIUM PATCH This Month

OpenClaw before version 2026.3.2 contains a race condition vulnerability in its ZIP extraction functionality that allows local attackers with limited privileges to write arbitrary files outside the intended extraction directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) gap in src/infra/archive.ts where an attacker can rebind parent directory symlinks between path validation and file write operations, enabling directory traversal and potential code execution. A patch is available from the vendor, and this vulnerability requires local access with user-level privileges to exploit, making it a moderate-severity concern for systems where untrusted users can extract archives.

Information Disclosure Openclaw
NVD GitHub
CVSS 3.1
5.8
CVE-2026-28455 MEDIUM PATCH This Month

OpenClaw before version 2026.2.22 contains an allowlist bypass vulnerability in its system.run exec analysis functionality that fails to properly unwrap environment variable and shell-dispatch wrapper chains. Attackers with local access and limited privileges can exploit this to route command execution through wrapper binaries such as env or bash, allowing them to smuggle payloads past the intended allowlist restrictions. This vulnerability enables privilege escalation and integrity compromise on affected systems.

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.1
5.8
CVE-2026-27646 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn slash-command that allows authorized sandboxed users to initialize host-side ACP runtime and bypass sandbox restrictions. An attacker with low privileges and sandboxed chat access can invoke the vulnerable command to cross from isolated chat context into unrestricted host-side ACP session initialization when ACP is enabled, potentially escalating their capabilities beyond intended boundaries. The vulnerability has been assigned a CVSS score of 5.3 (medium severity) with a published patch available from the vendor.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-27183 npm LOW PATCH Monitor

OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability that allows local attackers with limited privileges to execute arbitrary shell commands by circumventing security approval controls. The vulnerability exploits a depth-boundary mismatch between the approval classifier and execution planner, permitting exactly four transparent dispatch wrappers (such as repeated env invocations) to bypass the security=allowlist approval requirement. While not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the CVSS 4.5 score and publicly available patch indicate this is a real but lower-priority vulnerability with moderate real-world risk depending on deployment context.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-32899 npm MEDIUM POC PATCH This Month

OpenClaw fails to consistently apply sender-policy checks to reaction and pin event handlers, allowing authenticated attackers to bypass configured direct message policies and channel user allowlists by injecting unauthorized events from restricted senders. The vulnerability affects OpenClaw versions prior to 2026.2.25, requires low privileges (authenticated user), and enables unauthorized event injection with moderate severity (CVSS 4.3). A patch is available from the vendor, and the vulnerability has been documented in the VulnCheck advisory and GitHub Security Advisory GHSA-rm2p-j3r7-4x4j.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32898 npm MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP (Approval Control Panel) client that automatically approves tool calls based on untrusted metadata and overly permissive heuristics. An authenticated attacker with PR (privileges required) can bypass interactive approval prompts for read-class operations by spoofing toolCall.kind metadata or using non-core read-like function names to reach auto-approve execution paths. This vulnerability enables unauthorized information disclosure and modification without user interaction, and while not currently listed as actively exploited in KEV, proof-of-concept demonstrations are available via vendor security advisories.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32897 npm LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-32896 npm MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.21 contain a passwordless fallback authentication bypass in the BlueBubbles webhook handler that allows attackers to send unauthenticated webhook events by exploiting loopback or reverse-proxy heuristics. The vulnerability affects the BlueBubbles plugin component and has a CVSS score of 4.8 (medium severity) with low attack complexity, enabling both confidentiality and integrity impact without requiring authentication or user interaction. A vendor patch is available, and the vulnerability is documented in public advisories from VulnCheck and GitHub Security.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-32895 npm MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.26 contain an authentication bypass vulnerability in their Slack system event handlers that fails to properly enforce sender authorization checks. Attackers with low-privilege access (PR:L in CVSS vector) can craft and send unauthorized system events through message_changed, message_deleted, and thread_broadcast event types to bypass Slack DM allowlists and per-channel user allowlists. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact; no KEV or active exploitation has been publicly disclosed, but a patch is available from the vendor.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32067 npm LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control mechanism for direct message pairing policies, allowing attackers to reuse pairing approvals across multiple accounts in multi-account deployments. An authenticated attacker (PR:L) who has been approved as a sender in one account can be automatically accepted in another account without explicit re-approval, effectively bypassing authorization boundaries between accounts. The vulnerability has a CVSS score of 3.7 with medium attack complexity and low confidentiality and integrity impacts; no active exploitation in the wild (KEV) or public proof-of-concept has been confirmed, but patches are available from the vendor.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-32065 npm MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in the system.run function where the rendered command text displayed to approvers has whitespace trimmed from argv tokens, but the actual runtime execution uses the raw, untrimmed argv. An attacker with the ability to influence command arguments and reuse an approval context can craft a trailing-space executable token to execute a different binary than what was approved, resulting in arbitrary command execution under the OpenClaw runtime user. The CVSS score of 4.8 reflects the requirement for local privileges and user interaction, though the integrity impact is marked as high due to the ability to execute unauthorized commands.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-32064 npm HIGH POC PATCH GHSA This Week

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, allowing any attacker with access to the host's loopback interface to view or interact with sandboxed browser sessions without credentials. All OpenClaw versions prior to 2026.2.21 are affected. This vulnerability has been publicly disclosed with patches available from the vendor, though no EPSS score, KEV status, or public POC references were provided in the intelligence data.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-32058 npm LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness that allows attackers to reuse previously approved system.run execution requests with modified environment variables, bypassing approval-enabled workflow integrity controls. An attacker with access to an approval ID can exploit this vulnerability to execute commands with different environment settings than originally approved, effectively circumventing execution-integrity safeguards. The vulnerability requires local/network access and user interaction, resulting in a low CVSS score of 2.6, but represents a meaningful integrity violation in approval workflows where execution consistency is critical.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
2.6
EPSS
0.0%
CVE-2026-32057 npm MEDIUM POC PATCH This Month

OpenClaw versions before 2026.2.25 allow authenticated attackers with node role permissions to bypass device pairing requirements in the Control UI by spoofing the control-ui client identifier, enabling unauthorized access to node event execution flows. Public exploit code exists for this authentication bypass vulnerability. The vulnerability requires prior authentication and has moderate integrity impact potential.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-32056 npm HIGH POC PATCH GHSA This Week

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist protections. Authenticated remote attackers with low privileges can inject malicious shell startup files (.bash_profile, .zshenv) via unsanitized HOME and ZDOTDIR variables to achieve arbitrary code execution before allowlisted commands execute. A patch is available from the vendor via GitHub commit c2c7114ed39a547ab6276e1e933029b9530ee906.

RCE Command Injection Openclaw
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-32055 npm HIGH POC PATCH GHSA This Week

OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace directory by exploiting improper symlink resolution in path validation checks. An attacker with workspace access can leverage in-workspace symlinks pointing to external targets to bypass boundary restrictions on the first write operation. Public exploit code exists for this vulnerability, and a patch is available.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-32054 npm MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the browser trace and download output path handling that allows local attackers with limited privileges to escape the managed temporary root directory and overwrite arbitrary files on the system. An attacker can create symbolic links to redirect file writes outside the intended sandbox, resulting in information disclosure and potential system compromise through arbitrary file modification. A patch is available from the vendor, and this vulnerability requires local access with low privileges to exploit, making it a medium-severity concern for multi-user systems.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32053 npm MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.23 contain a webhook event deduplication bypass vulnerability where normalized Twilio event IDs are randomized on each parse, allowing attackers to replay webhook events and circumvent the manager's deduplication checks. An unauthenticated remote attacker can exploit this over the network to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption. While no CVSS modifier for active exploitation or public POC is explicitly confirmed in the provided intelligence, the CVSS 6.5 score reflects moderate integrity and availability impact with low attack complexity.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32052 npm MEDIUM POC PATCH This Month

OpenClaw versions before 2026.2.24 allow authenticated attackers to execute arbitrary commands through command injection in the system.run shell-wrapper by injecting malicious arguments that bypass validation controls. Public exploit code exists for this vulnerability, enabling attackers to disguise malicious payloads while executing hidden commands with the privileges of the affected application.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-32051 npm HIGH POC PATCH This Week

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.write scope to escalate privileges and execute owner-only administrative functions including gateway and cron management through agent runs in scoped-token deployments. This is a privilege escalation issue affecting deployments using scoped authentication tokens, where write-level access can be exploited to perform control-plane operations reserved for owners. With a CVSS score of 8.8 and network-accessible attack vector, this represents a significant authorization bypass, though no KEV listing or public exploitation indicators are currently available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-32050 npm LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in the signal reaction notification handling mechanism that allows unauthenticated attackers to enqueue status events before authorization checks are performed. Attackers can exploit the reaction-only event path in event-handler.ts to inject signal reaction status lines into sessions without validating proper DM or group access permissions, resulting in integrity compromise. The vulnerability has a CVSS score of 3.7 (low-to-moderate severity) with an attack vector of network, high complexity, and no privileges required, though no active exploitation or public proof-of-concept has been confirmed in known exploit databases.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-32049 npm HIGH POC PATCH GHSA This Week

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consistently enforce configured inbound media byte limits across multiple channel ingestion paths. Remote unauthenticated attackers can exploit this by sending oversized media payloads to cause elevated memory consumption and process instability, leading to denial of service. The vulnerability has a CVSS score of 7.5 (High severity) with network-based attack vector and low complexity, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.

Denial Of Service Openclaw
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32048 npm HIGH POC PATCH This Week

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low privileges to bypass runtime confinement restrictions. Attackers can exploit a flaw in cross-agent sessions_spawn operations to create child processes under unsandboxed agents, effectively disabling sandbox protections by setting sandbox.mode to off. While the CVSS score is 7.5 (High), there is no evidence of active exploitation (not in CISA KEV), though the vulnerability has been publicly disclosed through GitHub Security Advisories and VulnCheck, increasing the likelihood of proof-of-concept development.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32045 npm MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in HTTP gateway routes due to incorrect application of tokenless Tailscale header authentication. Attackers on trusted networks can access HTTP gateway routes without providing required token or password credentials, potentially exposing sensitive functionality. A patch is available from the vendor, and this vulnerability has been disclosed publicly via GitHub Security Advisory GHSA-hff7-ccv5-52f8.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-32044 npm MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability that selectively bypasses safety checks for tar.bz2 skill archives while other formats enforce proper validation. An attacker can craft a malicious tar.bz2 skill archive that circumvents special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation when a user interacts with the installer. This is a local, user-interaction-dependent vulnerability with no authentication required, rated CVSS 5.5 (medium severity) with denial of service impact.

Denial Of Service Openclaw
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-32043 npm MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use (TOCTOU) vulnerability in the approval-bound system.run execution function where the current working directory (cwd) parameter is validated at approval time but resolved at execution time, allowing attackers with local access and limited privileges to retarget symlinked directories between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts. The vulnerability has a CVSS score of 6.5 with medium attack complexity but high integrity and availability impact, making it a notable local privilege escalation vector that requires user interaction in the approval workflow.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32042 npm HIGH POC PATCH This Week

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated attackers to bypass device pairing requirements and self-assign elevated operator.admin scopes. Attackers with valid shared gateway authentication credentials can present self-signed unpaired device identities to obtain administrator privileges before pairing approval is granted. This is a high-severity vulnerability (CVSS 8.8) with a patch available from the vendor.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22172 npm CRITICAL PATCH Act Now

OpenClaw contains an authorization bypass vulnerability in its WebSocket connection handling that allows authenticated users with low-privilege shared-token or password credentials to falsely declare elevated administrative scopes without proper server-side validation. Attackers with basic authentication can escalate privileges to operator.admin level and execute administrative gateway operations. With a CVSS score of 9.9 (Critical) and low attack complexity, this represents a severe privilege escalation risk, though no KEV listing or EPSS data is currently available to confirm active exploitation.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-32041 npm MEDIUM PATCH GHSA This Month

OpenClaw versions prior to 2026.3.1 contain an authentication bypass vulnerability where failed authentication bootstrap during startup leaves browser-control routes accessible without credentials. An attacker with local process access or ability to reach the application via loopback SSRF can exploit this to access sensitive browser-control functionality including code evaluation capabilities without valid authentication. This is a moderate-risk vulnerability with a CVSS score of 6.9 and realistic exploitation potential for local/SSRF-capable threats.

SSRF Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.0%
CVE-2026-32040 npm MEDIUM PATCH This Month

OpenClaw prior to version 2026.2.23 allows local authenticated attackers to inject malicious code into exported HTML sessions through specially crafted mimeType values in image content blocks. When a user opens the exported HTML file, the injected code executes arbitrary JavaScript in their browser context. Exploitation requires local access and user interaction to open the malicious HTML file.

XSS Openclaw
NVD GitHub VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-32039 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 allow authenticated attackers to bypass sender authorization checks through identifier collision attacks, enabling them to gain unauthorized access to privileged tools. By exploiting untyped sender keys and forcing collisions with mutable identity fields like senderName or senderUsername, attackers can inherit elevated permissions not granted to their account. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-32037 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.22 contain a Server-Side Request Forgery (SSRF) vulnerability in MSTeams media attachment handling where redirect chain validation against the mediaAllowHosts allowlist is inconsistently applied. An authenticated attacker with low privileges can supply or influence attachment URLs that redirect to non-allowlisted targets, allowing them to bypass SSRF boundary controls and potentially access internal resources. The vulnerability has confirmed patch availability and security advisories from the vendor.

SSRF Openclaw
NVD GitHub VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-32036 npm MEDIUM PATCH GHSA This Month

OpenClaw gateway plugin versions before 2026.2.26 allow remote attackers to bypass authentication by exploiting path traversal in the /api/channels endpoint through encoded dot-segment sequences. Attackers can manipulate these paths to access protected plugin routes that should be restricted, gaining unauthorized access to sensitive channel functionality. No patch is currently available for this medium-severity vulnerability.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-32035 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.2 contain an authorization bypass vulnerability in Discord voice transcript processing where the senderIsOwner flag is not properly validated in the agentCommand handler, causing it to default to true. This allows non-owner participants in mixed-trust Discord channels to gain unauthorized access to owner-only tools including gateway and cron functionality. The vulnerability has a CVSS score of 5.9 (medium severity) with high integrity impact, though real-world exploitation requires user interaction and moderate attack complexity.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-32034 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.21 allow authenticated attackers to bypass device identity verification and gain high-privilege Control UI access when insecure authentication is enabled and the gateway uses unencrypted HTTP. An attacker with compromised credentials can exploit the lack of secure authentication enforcement to obtain unauthorized control access. The vulnerability requires network access and valid credentials but poses significant risk in environments where plaintext HTTP is used.

Authentication Bypass Command Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
6.1
EPSS
0.1%
CVE-2026-32033 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.24 allow authenticated attackers to bypass path traversal protections by using @-prefixed absolute paths that evade workspace boundary validation, enabling unauthorized file access outside the intended directory scope when workspace-only restrictions are configured. The vulnerability stems from a canonicalization mismatch that fails to properly validate these specially-crafted paths, allowing attackers to read arbitrary files on the system.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-32032 npm HIGH PATCH This Week

OpenClaw versions before 2026.2.22 allow local attackers with environment access to execute arbitrary commands by manipulating the SHELL environment variable, which is insufficiently validated during shell fallback operations. An attacker can leverage this to run malicious code with the privileges of the OpenClaw process. No patch is currently available for this vulnerability.

Code Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-32031 npm MEDIUM PATCH This Month

OpenClaw server-http versions before 2026.2.26 permit unauthenticated access to protected plugin channel APIs through path canonicalization mismatches between gateway and routing handlers. Remote attackers can exploit this authentication bypass by crafting requests with alternative path encodings to reach sensitive endpoints without valid credentials. No patch is currently available for this medium-severity issue.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-32030 npm HIGH PATCH This Week

OpenClaw versions before 2026.2.19 allow remote file disclosure when iMessage remote attachment fetching is enabled, as the stageSandboxMedia function fails to properly validate attachment paths and accepts arbitrary absolute paths. An attacker with the ability to manipulate attachment metadata can read files accessible to the OpenClaw process on the configured remote host via SCP. No patch is currently available for this vulnerability.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-32029 npm MEDIUM PATCH This Month

CVE-2026-32029 is a security vulnerability (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Code Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-32028 npm MEDIUM PATCH This Month

A remote code execution vulnerability (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-32027 npm HIGH PATCH This Week

OpenClaw versions prior to 2026.2.26 contain a critical authorization bypass vulnerability where Direct Message (DM) pairing-store identities are incorrectly reused to satisfy group-level sender allowlist authorization checks. An attacker with valid DM pairing credentials can send messages to groups without being explicitly listed in the group's allowFrom access control list, effectively bypassing group message access controls. This vulnerability requires authenticated access (PR:L) but enables high-confidence information disclosure (C:H), with a CVSS score of 6.5 reflecting the combination of network accessibility and authentication requirement.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-32026 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability (CWE-22: Path Traversal) in sandbox media handling that allows attackers with low privileges to read and exfiltrate arbitrary files from the host temporary directory. An authenticated attacker can exploit this by crafting malicious media references delivered through attachment mechanisms, bypassing sandbox isolation to access sensitive files outside the intended sandbox root. No active exploitation in the wild (KEV status unknown), but proof-of-concept code references are available in GitHub commit history.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-32025 npm HIGH PATCH This Week

A WebSocket authentication bypass vulnerability in OpenClaw gateway software allows attackers to circumvent origin validation and rate limiting protections when deployed on localhost/loopback interfaces. The flaw enables malicious websites to conduct brute-force attacks against the gateway's authentication mechanism through a victim's browser, potentially gaining full administrative control over the OpenClaw control plane. With a 7.5 CVSS score and requiring only user interaction to exploit, this represents a significant risk for organizations running OpenClaw in loopback configurations.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32024 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 suffer from a symlink traversal flaw in avatar processing that enables local attackers with user-level privileges to read sensitive files beyond the intended workspace directory. An attacker can leverage this through gateway interfaces to access arbitrary files with OpenClaw process permissions, resulting in unauthorized information disclosure. No patch is currently available for this vulnerability.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-32023 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in the system.run allowlist mode where attackers with local privileges can chain multiple transparent dispatch wrappers (such as /usr/bin/env) to suppress shell-wrapper detection and execute arbitrary shell commands without triggering expected approval prompts in allowlist plus ask=on-miss configurations. This authentication bypass has a CVSS score of 5.9 (medium severity) with high integrity impact, allowing privilege escalation or unauthorized command execution on affected systems. A proof-of-concept and security advisory are available from GitHub and VulnCheck.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
CVE-2026-32022 npm MEDIUM PATCH This Month

A arbitrary file access vulnerability in the grep tool within tools (CVSS 6.0) that allows attackers. Remediation should follow standard vulnerability management procedures.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-32021 npm MEDIUM PATCH This Month

CVE-2026-32021 is a security vulnerability (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-32020 npm LOW PATCH Monitor

OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-32019 npm LOW PATCH Monitor

OpenClaw versions prior to 2026.2.22 contain incomplete validation of IPv4 special-use ranges in the isPrivateIpv4() function, allowing attackers to bypass Server-Side Request Forgery (SSRF) policy checks and access RFC-reserved address ranges that should be blocked. An authenticated attacker with network reachability to special-use IPv4 ranges such as 198.18.0.0/15 can exploit the web_fetch functionality to access blocked internal addresses, resulting in information disclosure and potential lateral movement. The vulnerability has been patched and security advisories are available from the OpenClaw project.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-32018 npm LOW PATCH Monitor

OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers.

Information Disclosure Race Condition Openclaw
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-32017 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.19 allow authenticated attackers to bypass the exec safeBins policy and write arbitrary files by injecting short-option flags into whitelisted binary commands. An attacker with login credentials can exploit this allowlist bypass to perform unauthorized file-write operations that should be blocked by the safeBins security controls. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.1%
CVE-2026-32015 npm HIGH PATCH GHSA This Week

OpenClaw versions before 2026.2.19 contain a path hijacking vulnerability in tools.exec.safeBins that allows local attackers with process environment control to execute arbitrary binaries by spoofing allowlisted tool names like jq. An attacker who can manipulate the gateway process PATH can bypass executable validation controls and achieve code execution with the privileges of the affected process. No patch is currently available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-32014 npm HIGH PATCH This Week

A metadata spoofing vulnerability in OpenClaw allows attackers with paired node identities on the trusted network to bypass platform-based node command policies by manipulating unsigned reconnect platform and deviceFamily fields. This authentication bypass vulnerability affects OpenClaw versions prior to 2026.2.26 and enables unauthorized access to restricted commands with high impact on confidentiality, integrity, and availability (CVSS 8.0). No active exploitation has been reported in KEV and EPSS data is not available, but the vulnerability has been publicly disclosed with patches available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-32013 npm HIGH PATCH This Week

A symlink traversal vulnerability in OpenClaw allows authenticated attackers to read and write arbitrary files on the host system through the agents.files.get and agents.files.set methods. The vulnerability affects OpenClaw versions prior to 2026.2.25 and can lead to remote code execution through strategic file overwrites. With a high CVSS score of 8.8 and an RCE tag, this represents a critical security risk for organizations using affected versions.

RCE Openclaw
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-32010 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 allow local authenticated attackers to bypass the safe-bin allowlist by exploiting sort's --compress-program flag, enabling execution of arbitrary programs despite allowlist restrictions. This command injection vulnerability affects deployments using safe-bin configuration with ask=on-miss mode enabled, permitting unauthorized code execution without operator approval.

Command Injection Openclaw
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-32009 npm MEDIUM PATCH GHSA This Month

Arbitrary command execution in OpenClaw prior to version 2026.2.24 results from improper validation of binaries in package manager directories that are included in the safeBins allowlist. An attacker with write access to trusted paths such as /opt/homebrew/bin or /usr/local/bin can plant a malicious binary to achieve code execution within the OpenClaw runtime. No patch is currently available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-32008 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.21 allow authenticated users with browser-tool access to bypass URL scheme validation and navigate to file:// URLs, enabling local file exfiltration through browser snapshot and extraction features. An attacker with valid credentials could read sensitive files accessible to the OpenClaw process and extract them from the system. No patch is currently available.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-32007 npm MEDIUM PATCH GHSA This Month

OpenClaw versions before 2026.2.23 allow authenticated users with sandbox access to bypass workspace restrictions through a path traversal flaw in the apply_patch tool, enabling arbitrary file modification on the system. The vulnerability stems from inconsistent validation of mounted paths outside the workspace directory, permitting attackers to write to writable mounts beyond the intended sandbox boundaries. No patch is currently available for this MEDIUM severity issue.

Path Traversal Openclaw
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-32006 npm LOW PATCH Monitor

CVE-2026-32006 is a security vulnerability (CVSS 3.1). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-32005 npm MEDIUM PATCH GHSA This Month

OpenClaw versions prior to 2026.2.25 contain an authorization bypass vulnerability in interactive callback handlers (block_action, view_submission, view_closed) that allows authenticated but unauthorized workspace members to bypass sender authorization checks and enqueue arbitrary system events into active sessions. This affects shared workspace deployments where multiple users with varying permission levels coexist, enabling privilege escalation and information disclosure attacks without requiring elevated privileges or user interaction.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-32004 npm MEDIUM PATCH GHSA This Month

OpenClaw prior to version 2026.3.2 allows unauthenticated attackers to bypass authentication controls on the /api/channels endpoint through path canonicalization mismatches, enabling access to protected API resources. The vulnerability exploits inconsistent handling of multi-encoded slash characters (%2f variants) between authentication checks and route processing. No patch is currently available, and exploitation requires only network access with no user interaction.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-32003 npm MEDIUM PATCH GHSA This Month

OpenClaw versions before 2026.2.22 allow high-privileged attackers to execute arbitrary shell commands by injecting malicious environment variables into the system.run function, bypassing the intended command allowlist protections. By exploiting bash xtrace expansion through SHELLOPTS and PS4 variables, an attacker with request-scoped environment variable access can achieve code execution beyond the restricted command set. No patch is currently available for this command injection vulnerability.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-32002 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.23 allow authenticated users to bypass sandbox restrictions and read files outside the intended workspace by exploiting inadequate path validation in the sandboxed image tool. An attacker with valid credentials can exfiltrate sensitive files by leveraging vision model provider integrations, compromising the confidentiality of restricted data.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32001 npm MEDIUM PATCH This Month

OpenClaw prior to version 2026.2.22 allows authenticated users to bypass device identity verification and assume a node role during WebSocket connections, enabling injection of unauthorized node events that trigger sensitive agent and voice transcript operations. An attacker with a shared gateway token can exploit this to perform actions without proper device pairing, potentially compromising system integrity and confidentiality. No patch is currently available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-31999 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.1 contain a current working directory (cwd) injection vulnerability in Windows wrapper resolution for .cmd/.bat files that allows local attackers to manipulate command execution through directory control during shell fallback mechanisms. An authenticated local attacker with low privileges can exploit this vulnerability to achieve command execution integrity loss by controlling the working directory, potentially leading to unauthorized code execution or privilege escalation. While no active in-the-wild exploitation has been reported in KEV databases, the vulnerability is documented with a proof-of-concept available through the vendor's security advisory on GitHub.

Command Injection Microsoft Openclaw Windows
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-31997 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.1 contain a post-approval executable rebind vulnerability in the system.run approval mechanism that fails to pin executable identity when argv[0] is not a full path. An attacker with local access and low privileges can modify PATH environment variables after an operator approves a command execution to redirect the approval to execute a different binary, achieving arbitrary command execution with the privileges of the OpenClaw process. The vulnerability has a moderate CVSS score of 6.0 reflecting local attack vector and high privilege requirements, but poses significant risk in environments where approval workflows are relied upon for security boundaries.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-31996 npm LOW PATCH Monitor

OpenClaw versions prior to 2026.2.19 contain an input validation bypass in the tools.exec.safeBins component that allows local attackers with command execution privileges to circumvent stdin-only restrictions and perform arbitrary filesystem operations. By exploiting sort output flags (specifically the -o flag for arbitrary file writes) or recursive grep flags (-R for recursive file reads), authenticated attackers can read sensitive files or overwrite critical files despite intended access controls. While the CVSS score of 3.6 is moderate and requires local access with low privileges, the vulnerability represents a privilege escalation or sandbox escape technique rather than a critical remote exploit.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-31995 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.19 allow local attackers with limited privileges to execute arbitrary commands through the Lobster extension's Windows shell fallback mechanism by injecting malicious arguments into workflow processes. The vulnerability exploits cmd.exe command interpretation when spawn operations fail and trigger shell execution, enabling command injection with potential impact on system integrity and availability. A patch is available for affected versions.

Command Injection Microsoft Openclaw Windows
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-31994 npm HIGH PATCH This Week

OpenClaw contains a local command injection vulnerability in Windows scheduled task script generation that allows authenticated local attackers to inject arbitrary commands through unsafe handling of cmd metacharacters and CR/LF sequences in gateway.cmd files. OpenClaw versions prior to 2026.2.19 are affected. Attackers with control over service script generation arguments can execute unintended code in the scheduled task context with high impact to integrity and availability.

Command Injection Microsoft Openclaw Windows
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-31993 npm MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 contain an allowlist parsing flaw in the macOS companion app that enables authenticated operators with elevated privileges to bypass command execution controls and run arbitrary commands on paired hosts. The vulnerability affects systems with operator.write access and macOS beta nodes, allowing attackers to craft malicious shell-chain payloads that circumvent validation checks. A security patch is available.

Apple Authentication Bypass Openclaw macOS
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-31992 npm HIGH PATCH This Week

OpenClaw contains an allowlist bypass vulnerability in system.run guardrails that enables authenticated operators to execute arbitrary commands by exploiting the env -S flag when /usr/bin/env is allowlisted. The vulnerability affects all OpenClaw versions prior to 2026.2.23, allowing attackers with low-level privileges to bypass policy controls and execute shell wrapper payloads at runtime. No KEV status or public POC has been reported, though vendor patches are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-31991 npm LOW PATCH Monitor

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in Signal group allowlist enforcement where the system incorrectly accepts sender identities derived from direct message (DM) pairing-store approvals. An authenticated attacker with low privileges can exploit this boundary weakness by obtaining DM pairing approval, allowing them to bypass group allowlist checks and gain unauthorized access to Signal groups. While the CVSS score is moderate (3.7) and attack complexity is high, the vulnerability represents a direct authentication control bypass in a messaging security context, and patches are available from the vendor.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-31990 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.2 contain a symlink traversal vulnerability in the stageSandboxMedia function that fails to validate destination symlinks during media staging operations. This allows local attackers with low privileges to write files outside the intended sandbox workspace by placing malicious symlinks in the media/inbound directory, resulting in arbitrary file overwrite on the host system. A patch is available from the vendor, and the vulnerability was reported by VulnCheck with public references including a GitHub security advisory and commit fix.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31989 npm HIGH PATCH This Week

OpenClaw versions prior to 2026.3.1 contain a server-side request forgery (SSRF) vulnerability in the web_search citation redirect resolution component that permits requests to private network ranges. Authenticated attackers with low privileges can manipulate citation redirect targets to force the OpenClaw server to make requests to loopback addresses, private networks, or internal infrastructure, potentially accessing sensitive internal services or data. The vulnerability has a CVSS score of 7.4 with changed scope, indicating potential lateral movement beyond the vulnerable component.

SSRF Openclaw
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-29608 npm MEDIUM PATCH This Month

OpenClaw 2026.3.1 contains an approval integrity bypass vulnerability in the system.run node-host execution feature where attackers can rewrite command-line arguments (argv) to change the semantics of operator-approved commands. An authenticated local attacker with low privileges can place malicious scripts in the working directory to execute unintended code despite the operator approving different command text, resulting in high-impact confidentiality, integrity, and availability violations. A patch is available from the vendor, and no public exploit code has been widely reported, but the vulnerability represents a critical trust boundary violation in approval workflows.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-29607 npm HIGH PATCH This Week

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in its allow-always wrapper persistence mechanism that enables remote code execution. Attackers with high privileges and user interaction can approve benign wrapped system.run commands, then subsequently execute arbitrary different payloads without requiring additional approval, compromising both gateway and node-host execution environments. A patch is available from the vendor, and this vulnerability is tagged as enabling both RCE and command injection attacks.

RCE Command Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-28461 npm HIGH PATCH This Week

OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that allows unauthenticated remote attackers to exhaust system memory through query string manipulation. OpenClaw versions prior to 2026.3.1 are affected. Attackers can send repeated HTTP requests with varying query parameters to trigger in-memory key accumulation, leading to memory pressure, process instability, or complete denial of service through out-of-memory conditions.

Denial Of Service Openclaw
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28460 npm MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the system.run function that allows authenticated attackers to execute non-allowlisted commands by exploiting shell line-continuation characters to fold malicious command substitution past security controls. An attacker with low privileges (PR:L) can inject shell metacharacters (specifically $\ followed by newline and parenthesis within double quotes) to circumvent approval boundaries and execute arbitrary commands, resulting in integrity compromise and potential availability impact. A public advisory and patch are available from the vendor, though no EPSS score or KEV status was provided in the intelligence sources.

Command Injection Openclaw
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files including system configurations, environment files, and SSH private keys by bypassing media parsing validation functions. The vulnerability stems from incomplete path validation in isLikelyLocalPath() and isValidMedia() functions, with an allowBareFilename bypass permitting sandbox escape. Vendor-released patch available in commit 4797bbc (CVSS 8.7, no public exploit identified at time of analysis).

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

OpenClaw versions prior to 2026.3.7 contain a critical header validation flaw in the fetchWithSsrFGuard function that leaks sensitive authorization headers (including X-Api-Key and Private-Token) across cross-origin redirects. An attacker can exploit this remotely without authentication by triggering HTTP redirects to attacker-controlled domains, intercepting credentials intended for legitimate services. With a CVSS score of 9.3 and network-accessible attack vector requiring low complexity, this represents a significant information disclosure risk, though no active exploitation (KEV) or public POC has been reported at this time.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 7.3
HIGH PATCH This Week

OpenClaw versions prior to 2026.3.1 contain an approval bypass vulnerability in the system.run function that allows attackers to execute a different binary than the one approved by an operator. The vulnerability stems from non-path-like argv[0] tokens failing to bind to executable identity, enabling post-approval PATH manipulation to redirect execution to attacker-controlled binaries. With a CVSS score of 7.3 and requiring local access with low privileges and user interaction, this represents a significant privilege escalation and integrity bypass risk in environments using OpenClaw's execution approval mechanisms.

Authentication Bypass Openclaw
NVD GitHub
CVSS 3.6
LOW PATCH Monitor

OpenClaw before version 2026.2.19 contains a command injection vulnerability in the tools.exec.safeBins function that allows local attackers with limited privileges to bypass stdin-only execution restrictions through specially crafted sort output flags (sort -o) or recursive grep flags (grep -R). An authenticated attacker can exploit this to perform arbitrary file writes or reads, circumventing the intended safe-bin execution model that restricts command capabilities. A patch is available from the vendor, and this vulnerability has been documented by VulnCheck with supporting technical details.

Command Injection Openclaw
NVD GitHub
CVSS 4.6
MEDIUM PATCH This Month

OpenClaw before version 2026.2.26 contains an authorization bypass vulnerability in group allowlist policy evaluation that improperly accepts sender identities from DM pairing-store approvals. Attackers with low privileges can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized access to restricted groups. The vulnerability carries a moderate CVSS score of 4.6 with user interaction required, and patches are available from the vendor.

Authentication Bypass Openclaw
NVD GitHub
CVSS 6.1
MEDIUM PATCH This Month

OpenClaw before version 2026.3.2 contains a symlink traversal vulnerability in the stageSandboxMedia function that allows local attackers with limited privileges to overwrite arbitrary files outside the intended sandbox workspace. By exploiting unvalidated destination paths in media/inbound write operations, an attacker can follow symlinks to modify host files beyond sandbox boundaries, resulting in integrity compromise and potential system availability impact. A patch is available from the vendor.

Information Disclosure Openclaw
NVD GitHub
CVSS 8.3
HIGH PATCH This Week

OpenClaw contains a server-side request forgery (SSRF) vulnerability in its web search citation redirect resolution mechanism that allows unauthenticated remote attackers to trigger requests to internal network destinations from the OpenClaw gateway host. OpenClaw versions prior to 2026.3.1 are affected. Attackers who can influence citation redirect targets can exploit this to access private network resources, with a CVSS score of 8.3 indicating high severity with low complexity and no privileges required.

SSRF Openclaw
NVD GitHub
CVSS 6.7
MEDIUM PATCH This Month

OpenClaw before version 2026.3.2 contains a semantic drift vulnerability in the node system.run approval hardening mechanism that allows attackers to manipulate wrapper command arguments (argv) to execute unintended local scripts. An attacker with local access, low privileges, and the ability to influence wrapper argv and place malicious files in the approved working directory can achieve arbitrary script execution by exploiting argv rewriting that bypasses the intended approved command enforcement. A patch is available from the vendor, and this vulnerability affects all OpenClaw versions prior to 2026.3.2.

Information Disclosure Openclaw
NVD GitHub
CVSS 6.4
MEDIUM PATCH This Month

OpenClaw before version 2026.2.22 contains an authorization bypass vulnerability in allowlist mode that allows attackers with high privileges to approve benign wrapped system.run commands and subsequently execute arbitrary commands without requiring additional approval on gateway and node-host execution flows. This vulnerability exploits allow-always persistence at the wrapper level to broaden trust boundaries beyond the initial approval scope. The vulnerability has a CVSS score of 6.4 with high impact on confidentiality, integrity, and availability, though exploitation requires high privilege level and user interaction.

Authentication Bypass Openclaw
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that enables unauthenticated remote attackers to exhaust server memory by sending repeated HTTP requests with varying query string parameters. This affects OpenClaw versions prior to 2026.3.1. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and lack of authentication requirements, though no evidence of active exploitation (KEV) or public proof-of-concept has been identified at this time.

Denial Of Service Openclaw
NVD GitHub
CVSS 5.8
MEDIUM PATCH This Month

OpenClaw before version 2026.2.22 contains a critical allowlist bypass vulnerability in the system.run function that allows authenticated local attackers to execute arbitrary commands by circumventing security controls. An attacker with local access and low privileges can inject shell line-continuation sequences and command substitution syntax within double quotes to fold malicious payloads into executable subcommands, effectively bypassing the intended command allowlist. This vulnerability enables privilege escalation and arbitrary code execution on affected systems.

Authentication Bypass Openclaw
NVD GitHub
CVSS 5.8
MEDIUM PATCH This Month

OpenClaw before version 2026.3.2 contains a race condition vulnerability in its ZIP extraction functionality that allows local attackers with limited privileges to write arbitrary files outside the intended extraction directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) gap in src/infra/archive.ts where an attacker can rebind parent directory symlinks between path validation and file write operations, enabling directory traversal and potential code execution. A patch is available from the vendor, and this vulnerability requires local access with user-level privileges to exploit, making it a moderate-severity concern for systems where untrusted users can extract archives.

Information Disclosure Openclaw
NVD GitHub
CVSS 5.8
MEDIUM PATCH This Month

OpenClaw before version 2026.2.22 contains an allowlist bypass vulnerability in its system.run exec analysis functionality that fails to properly unwrap environment variable and shell-dispatch wrapper chains. Attackers with local access and limited privileges can exploit this to route command execution through wrapper binaries such as env or bash, allowing them to smuggle payloads past the intended allowlist restrictions. This vulnerability enables privilege escalation and integrity compromise on affected systems.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn slash-command that allows authorized sandboxed users to initialize host-side ACP runtime and bypass sandbox restrictions. An attacker with low privileges and sandboxed chat access can invoke the vulnerable command to cross from isolated chat context into unrestricted host-side ACP session initialization when ACP is enabled, potentially escalating their capabilities beyond intended boundaries. The vulnerability has been assigned a CVSS score of 5.3 (medium severity) with a published patch available from the vendor.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability that allows local attackers with limited privileges to execute arbitrary shell commands by circumventing security approval controls. The vulnerability exploits a depth-boundary mismatch between the approval classifier and execution planner, permitting exactly four transparent dispatch wrappers (such as repeated env invocations) to bypass the security=allowlist approval requirement. While not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the CVSS 4.5 score and publicly available patch indicate this is a real but lower-priority vulnerability with moderate real-world risk depending on deployment context.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

OpenClaw fails to consistently apply sender-policy checks to reaction and pin event handlers, allowing authenticated attackers to bypass configured direct message policies and channel user allowlists by injecting unauthorized events from restricted senders. The vulnerability affects OpenClaw versions prior to 2026.2.25, requires low privileges (authenticated user), and enables unauthorized event injection with moderate severity (CVSS 4.3). A patch is available from the vendor, and the vulnerability has been documented in the VulnCheck advisory and GitHub Security Advisory GHSA-rm2p-j3r7-4x4j.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP (Approval Control Panel) client that automatically approves tool calls based on untrusted metadata and overly permissive heuristics. An authenticated attacker with PR (privileges required) can bypass interactive approval prompts for read-class operations by spoofing toolCall.kind metadata or using non-core read-like function names to reach auto-approve execution paths. This vulnerability enables unauthorized information disclosure and modification without user interaction, and while not currently listed as actively exploited in KEV, proof-of-concept demonstrations are available via vendor security advisories.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.22 suffer from cryptographic secret reuse where the gateway authentication token is inappropriately reused as a fallback hashing secret for owner-ID obfuscation in system prompts sent to third-party model providers. An unauthenticated attacker with visibility into system prompts (such as through model provider logs, prompt injection, or interception) can reverse-engineer the gateway authentication token from hash outputs when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, directly compromising authentication security. The vulnerability has a low CVSS score of 3.7 due to high attack complexity and limited impact scope, but represents a critical cryptographic design flaw that violates separation-of-concerns principles across security domains.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.21 contain a passwordless fallback authentication bypass in the BlueBubbles webhook handler that allows attackers to send unauthenticated webhook events by exploiting loopback or reverse-proxy heuristics. The vulnerability affects the BlueBubbles plugin component and has a CVSS score of 4.8 (medium severity) with low attack complexity, enabling both confidentiality and integrity impact without requiring authentication or user interaction. A vendor patch is available, and the vulnerability is documented in public advisories from VulnCheck and GitHub Security.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.26 contain an authentication bypass vulnerability in their Slack system event handlers that fails to properly enforce sender authorization checks. Attackers with low-privilege access (PR:L in CVSS vector) can craft and send unauthorized system events through message_changed, message_deleted, and thread_broadcast event types to bypass Slack DM allowlists and per-channel user allowlists. The vulnerability has a moderate CVSS score of 5.4 with low confidentiality and integrity impact; no KEV or active exploitation has been publicly disclosed, but a patch is available from the vendor.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control mechanism for direct message pairing policies, allowing attackers to reuse pairing approvals across multiple accounts in multi-account deployments. An authenticated attacker (PR:L) who has been approved as a sender in one account can be automatically accepted in another account without explicit re-approval, effectively bypassing authorization boundaries between accounts. The vulnerability has a CVSS score of 3.7 with medium attack complexity and low confidentiality and integrity impacts; no active exploitation in the wild (KEV) or public proof-of-concept has been confirmed, but patches are available from the vendor.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in the system.run function where the rendered command text displayed to approvers has whitespace trimmed from argv tokens, but the actual runtime execution uses the raw, untrimmed argv. An attacker with the ability to influence command arguments and reuse an approval context can craft a trailing-space executable token to execute a different binary than what was approved, resulting in arbitrary command execution under the OpenClaw runtime user. The CVSS score of 4.8 reflects the requirement for local privileges and user interaction, though the integrity impact is marked as high due to the ability to execute unauthorized commands.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, allowing any attacker with access to the host's loopback interface to view or interact with sandboxed browser sessions without credentials. All OpenClaw versions prior to 2026.2.21 are affected. This vulnerability has been publicly disclosed with patches available from the vendor, though no EPSS score, KEV status, or public POC references were provided in the intelligence data.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.6
LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness that allows attackers to reuse previously approved system.run execution requests with modified environment variables, bypassing approval-enabled workflow integrity controls. An attacker with access to an approval ID can exploit this vulnerability to execute commands with different environment settings than originally approved, effectively circumventing execution-integrity safeguards. The vulnerability requires local/network access and user interaction, resulting in a low CVSS score of 2.6, but represents a meaningful integrity violation in approval workflows where execution consistency is critical.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM POC PATCH This Month

OpenClaw versions before 2026.2.25 allow authenticated attackers with node role permissions to bypass device pairing requirements in the Control UI by spoofing the control-ui client identifier, enabling unauthorized access to node event execution flows. Public exploit code exists for this authentication bypass vulnerability. The vulnerability requires prior authentication and has moderate integrity impact potential.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist protections. Authenticated remote attackers with low privileges can inject malicious shell startup files (.bash_profile, .zshenv) via unsanitized HOME and ZDOTDIR variables to achieve arbitrary code execution before allowlisted commands execute. A patch is available from the vendor via GitHub commit c2c7114ed39a547ab6276e1e933029b9530ee906.

RCE Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace directory by exploiting improper symlink resolution in path validation checks. An attacker with workspace access can leverage in-workspace symlinks pointing to external targets to bypass boundary restrictions on the first write operation. Public exploit code exists for this vulnerability, and a patch is available.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the browser trace and download output path handling that allows local attackers with limited privileges to escape the managed temporary root directory and overwrite arbitrary files on the system. An attacker can create symbolic links to redirect file writes outside the intended sandbox, resulting in information disclosure and potential system compromise through arbitrary file modification. A patch is available from the vendor, and this vulnerability requires local access with low privileges to exploit, making it a medium-severity concern for multi-user systems.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.23 contain a webhook event deduplication bypass vulnerability where normalized Twilio event IDs are randomized on each parse, allowing attackers to replay webhook events and circumvent the manager's deduplication checks. An unauthenticated remote attacker can exploit this over the network to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption. While no CVSS modifier for active exploitation or public POC is explicitly confirmed in the provided intelligence, the CVSS 6.5 score reflects moderate integrity and availability impact with low attack complexity.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.4
MEDIUM POC PATCH This Month

OpenClaw versions before 2026.2.24 allow authenticated attackers to execute arbitrary commands through command injection in the system.run shell-wrapper by injecting malicious arguments that bypass validation controls. Public exploit code exists for this vulnerability, enabling attackers to disguise malicious payloads while executing hidden commands with the privileges of the affected application.

Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.write scope to escalate privileges and execute owner-only administrative functions including gateway and cron management through agent runs in scoped-token deployments. This is a privilege escalation issue affecting deployments using scoped authentication tokens, where write-level access can be exploited to perform control-plane operations reserved for owners. With a CVSS score of 8.8 and network-accessible attack vector, this represents a significant authorization bypass, though no KEV listing or public exploitation indicators are currently available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in the signal reaction notification handling mechanism that allows unauthenticated attackers to enqueue status events before authorization checks are performed. Attackers can exploit the reaction-only event path in event-handler.ts to inject signal reaction status lines into sessions without validating proper DM or group access permissions, resulting in integrity compromise. The vulnerability has a CVSS score of 3.7 (low-to-moderate severity) with an attack vector of network, high complexity, and no privileges required, though no active exploitation or public proof-of-concept has been confirmed in known exploit databases.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consistently enforce configured inbound media byte limits across multiple channel ingestion paths. Remote unauthenticated attackers can exploit this by sending oversized media payloads to cause elevated memory consumption and process instability, leading to denial of service. The vulnerability has a CVSS score of 7.5 (High severity) with network-based attack vector and low complexity, though no active exploitation (KEV) or public proof-of-concept has been reported at this time.

Denial Of Service Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low privileges to bypass runtime confinement restrictions. Attackers can exploit a flaw in cross-agent sessions_spawn operations to create child processes under unsandboxed agents, effectively disabling sandbox protections by setting sandbox.mode to off. While the CVSS score is 7.5 (High), there is no evidence of active exploitation (not in CISA KEV), though the vulnerability has been publicly disclosed through GitHub Security Advisories and VulnCheck, increasing the likelihood of proof-of-concept development.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in HTTP gateway routes due to incorrect application of tokenless Tailscale header authentication. Attackers on trusted networks can access HTTP gateway routes without providing required token or password credentials, potentially exposing sensitive functionality. A patch is available from the vendor, and this vulnerability has been disclosed publicly via GitHub Security Advisory GHSA-hff7-ccv5-52f8.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability that selectively bypasses safety checks for tar.bz2 skill archives while other formats enforce proper validation. An attacker can craft a malicious tar.bz2 skill archive that circumvents special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation when a user interacts with the installer. This is a local, user-interaction-dependent vulnerability with no authentication required, rated CVSS 5.5 (medium severity) with denial of service impact.

Denial Of Service Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use (TOCTOU) vulnerability in the approval-bound system.run execution function where the current working directory (cwd) parameter is validated at approval time but resolved at execution time, allowing attackers with local access and limited privileges to retarget symlinked directories between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts. The vulnerability has a CVSS score of 6.5 with medium attack complexity but high integrity and availability impact, making it a notable local privilege escalation vector that requires user interaction in the approval workflow.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated attackers to bypass device pairing requirements and self-assign elevated operator.admin scopes. Attackers with valid shared gateway authentication credentials can present self-signed unpaired device identities to obtain administrator privileges before pairing approval is granted. This is a high-severity vulnerability (CVSS 8.8) with a patch available from the vendor.

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

OpenClaw contains an authorization bypass vulnerability in its WebSocket connection handling that allows authenticated users with low-privilege shared-token or password credentials to falsely declare elevated administrative scopes without proper server-side validation. Attackers with basic authentication can escalate privileges to operator.admin level and execute administrative gateway operations. With a CVSS score of 9.9 (Critical) and low attack complexity, this represents a severe privilege escalation risk, though no KEV listing or EPSS data is currently available to confirm active exploitation.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.1 contain an authentication bypass vulnerability where failed authentication bootstrap during startup leaves browser-control routes accessible without credentials. An attacker with local process access or ability to reach the application via loopback SSRF can exploit this to access sensitive browser-control functionality including code evaluation capabilities without valid authentication. This is a moderate-risk vulnerability with a CVSS score of 6.9 and realistic exploitation potential for local/SSRF-capable threats.

SSRF Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

OpenClaw prior to version 2026.2.23 allows local authenticated attackers to inject malicious code into exported HTML sessions through specially crafted mimeType values in image content blocks. When a user opens the exported HTML file, the injected code executes arbitrary JavaScript in their browser context. Exploitation requires local access and user interaction to open the malicious HTML file.

XSS Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 allow authenticated attackers to bypass sender authorization checks through identifier collision attacks, enabling them to gain unauthorized access to privileged tools. By exploiting untyped sender keys and forcing collisions with mutable identity fields like senderName or senderUsername, attackers can inherit elevated permissions not granted to their account. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.22 contain a Server-Side Request Forgery (SSRF) vulnerability in MSTeams media attachment handling where redirect chain validation against the mediaAllowHosts allowlist is inconsistently applied. An authenticated attacker with low privileges can supply or influence attachment URLs that redirect to non-allowlisted targets, allowing them to bypass SSRF boundary controls and potentially access internal resources. The vulnerability has confirmed patch availability and security advisories from the vendor.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenClaw gateway plugin versions before 2026.2.26 allow remote attackers to bypass authentication by exploiting path traversal in the /api/channels endpoint through encoded dot-segment sequences. Attackers can manipulate these paths to access protected plugin routes that should be restricted, gaining unauthorized access to sensitive channel functionality. No patch is currently available for this medium-severity vulnerability.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.2 contain an authorization bypass vulnerability in Discord voice transcript processing where the senderIsOwner flag is not properly validated in the agentCommand handler, causing it to default to true. This allows non-owner participants in mixed-trust Discord channels to gain unauthorized access to owner-only tools including gateway and cron functionality. The vulnerability has a CVSS score of 5.9 (medium severity) with high integrity impact, though real-world exploitation requires user interaction and moderate attack complexity.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.21 allow authenticated attackers to bypass device identity verification and gain high-privilege Control UI access when insecure authentication is enabled and the gateway uses unencrypted HTTP. An attacker with compromised credentials can exploit the lack of secure authentication enforcement to obtain unauthorized control access. The vulnerability requires network access and valid credentials but poses significant risk in environments where plaintext HTTP is used.

Authentication Bypass Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.24 allow authenticated attackers to bypass path traversal protections by using @-prefixed absolute paths that evade workspace boundary validation, enabling unauthorized file access outside the intended directory scope when workspace-only restrictions are configured. The vulnerability stems from a canonicalization mismatch that fails to properly validate these specially-crafted paths, allowing attackers to read arbitrary files on the system.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

OpenClaw versions before 2026.2.22 allow local attackers with environment access to execute arbitrary commands by manipulating the SHELL environment variable, which is insufficiently validated during shell fallback operations. An attacker can leverage this to run malicious code with the privileges of the OpenClaw process. No patch is currently available for this vulnerability.

Code Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

OpenClaw server-http versions before 2026.2.26 permit unauthenticated access to protected plugin channel APIs through path canonicalization mismatches between gateway and routing handlers. Remote attackers can exploit this authentication bypass by crafting requests with alternative path encodings to reach sensitive endpoints without valid credentials. No patch is currently available for this medium-severity issue.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

OpenClaw versions before 2026.2.19 allow remote file disclosure when iMessage remote attachment fetching is enabled, as the stageSandboxMedia function fails to properly validate attachment paths and accepts arbitrary absolute paths. An attacker with the ability to manipulate attachment metadata can read files accessible to the OpenClaw process on the configured remote host via SCP. No patch is currently available for this vulnerability.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

CVE-2026-32029 is a security vulnerability (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Code Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

A remote code execution vulnerability (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw versions prior to 2026.2.26 contain a critical authorization bypass vulnerability where Direct Message (DM) pairing-store identities are incorrectly reused to satisfy group-level sender allowlist authorization checks. An attacker with valid DM pairing credentials can send messages to groups without being explicitly listed in the group's allowFrom access control list, effectively bypassing group message access controls. This vulnerability requires authenticated access (PR:L) but enables high-confidence information disclosure (C:H), with a CVSS score of 6.5 reflecting the combination of network accessibility and authentication requirement.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability (CWE-22: Path Traversal) in sandbox media handling that allows attackers with low privileges to read and exfiltrate arbitrary files from the host temporary directory. An authenticated attacker can exploit this by crafting malicious media references delivered through attachment mechanisms, bypassing sandbox isolation to access sensitive files outside the intended sandbox root. No active exploitation in the wild (KEV status unknown), but proof-of-concept code references are available in GitHub commit history.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A WebSocket authentication bypass vulnerability in OpenClaw gateway software allows attackers to circumvent origin validation and rate limiting protections when deployed on localhost/loopback interfaces. The flaw enables malicious websites to conduct brute-force attacks against the gateway's authentication mechanism through a victim's browser, potentially gaining full administrative control over the OpenClaw control plane. With a 7.5 CVSS score and requiring only user interaction to exploit, this represents a significant risk for organizations running OpenClaw in loopback configurations.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 suffer from a symlink traversal flaw in avatar processing that enables local attackers with user-level privileges to read sensitive files beyond the intended workspace directory. An attacker can leverage this through gateway interfaces to access arbitrary files with OpenClaw process permissions, resulting in unauthorized information disclosure. No patch is currently available for this vulnerability.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in the system.run allowlist mode where attackers with local privileges can chain multiple transparent dispatch wrappers (such as /usr/bin/env) to suppress shell-wrapper detection and execute arbitrary shell commands without triggering expected approval prompts in allowlist plus ask=on-miss configurations. This authentication bypass has a CVSS score of 5.9 (medium severity) with high integrity impact, allowing privilege escalation or unauthorized command execution on affected systems. A proof-of-concept and security advisory are available from GitHub and VulnCheck.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

A arbitrary file access vulnerability in the grep tool within tools (CVSS 6.0) that allows attackers. Remediation should follow standard vulnerability management procedures.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

CVE-2026-32021 is a security vulnerability (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw versions prior to 2026.2.22 contain incomplete validation of IPv4 special-use ranges in the isPrivateIpv4() function, allowing attackers to bypass Server-Side Request Forgery (SSRF) policy checks and access RFC-reserved address ranges that should be blocked. An authenticated attacker with network reachability to special-use IPv4 ranges such as 198.18.0.0/15 can exploit the web_fetch functionality to access blocked internal addresses, resulting in information disclosure and potential lateral movement. The vulnerability has been patched and security advisories are available from the OpenClaw project.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers.

Information Disclosure Race Condition Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.19 allow authenticated attackers to bypass the exec safeBins policy and write arbitrary files by injecting short-option flags into whitelisted binary commands. An attacker with login credentials can exploit this allowlist bypass to perform unauthorized file-write operations that should be blocked by the safeBins security controls. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

OpenClaw versions before 2026.2.19 contain a path hijacking vulnerability in tools.exec.safeBins that allows local attackers with process environment control to execute arbitrary binaries by spoofing allowlisted tool names like jq. An attacker who can manipulate the gateway process PATH can bypass executable validation controls and achieve code execution with the privileges of the affected process. No patch is currently available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

A metadata spoofing vulnerability in OpenClaw allows attackers with paired node identities on the trusted network to bypass platform-based node command policies by manipulating unsigned reconnect platform and deviceFamily fields. This authentication bypass vulnerability affects OpenClaw versions prior to 2026.2.26 and enables unauthorized access to restricted commands with high impact on confidentiality, integrity, and availability (CVSS 8.0). No active exploitation has been reported in KEV and EPSS data is not available, but the vulnerability has been publicly disclosed with patches available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A symlink traversal vulnerability in OpenClaw allows authenticated attackers to read and write arbitrary files on the host system through the agents.files.get and agents.files.set methods. The vulnerability affects OpenClaw versions prior to 2026.2.25 and can lead to remote code execution through strategic file overwrites. With a high CVSS score of 8.8 and an RCE tag, this represents a critical security risk for organizations using affected versions.

RCE Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 allow local authenticated attackers to bypass the safe-bin allowlist by exploiting sort's --compress-program flag, enabling execution of arbitrary programs despite allowlist restrictions. This command injection vulnerability affects deployments using safe-bin configuration with ask=on-miss mode enabled, permitting unauthorized code execution without operator approval.

Command Injection Openclaw
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Arbitrary command execution in OpenClaw prior to version 2026.2.24 results from improper validation of binaries in package manager directories that are included in the safeBins allowlist. An attacker with write access to trusted paths such as /opt/homebrew/bin or /usr/local/bin can plant a malicious binary to achieve code execution within the OpenClaw runtime. No patch is currently available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.21 allow authenticated users with browser-tool access to bypass URL scheme validation and navigate to file:// URLs, enabling local file exfiltration through browser snapshot and extraction features. An attacker with valid credentials could read sensitive files accessible to the OpenClaw process and extract them from the system. No patch is currently available.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.23 allow authenticated users with sandbox access to bypass workspace restrictions through a path traversal flaw in the apply_patch tool, enabling arbitrary file modification on the system. The vulnerability stems from inconsistent validation of mounted paths outside the workspace directory, permitting attackers to write to writable mounts beyond the intended sandbox boundaries. No patch is currently available for this MEDIUM severity issue.

Path Traversal Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

CVE-2026-32006 is a security vulnerability (CVSS 3.1). Remediation should follow standard vulnerability management procedures.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.25 contain an authorization bypass vulnerability in interactive callback handlers (block_action, view_submission, view_closed) that allows authenticated but unauthorized workspace members to bypass sender authorization checks and enqueue arbitrary system events into active sessions. This affects shared workspace deployments where multiple users with varying permission levels coexist, enabling privilege escalation and information disclosure attacks without requiring elevated privileges or user interaction.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

OpenClaw prior to version 2026.3.2 allows unauthenticated attackers to bypass authentication controls on the /api/channels endpoint through path canonicalization mismatches, enabling access to protected API resources. The vulnerability exploits inconsistent handling of multi-encoded slash characters (%2f variants) between authentication checks and route processing. No patch is currently available, and exploitation requires only network access with no user interaction.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 allow high-privileged attackers to execute arbitrary shell commands by injecting malicious environment variables into the system.run function, bypassing the intended command allowlist protections. By exploiting bash xtrace expansion through SHELLOPTS and PS4 variables, an attacker with request-scoped environment variable access can achieve code execution beyond the restricted command set. No patch is currently available for this command injection vulnerability.

Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.23 allow authenticated users to bypass sandbox restrictions and read files outside the intended workspace by exploiting inadequate path validation in the sandboxed image tool. An attacker with valid credentials can exfiltrate sensitive files by leveraging vision model provider integrations, compromising the confidentiality of restricted data.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

OpenClaw prior to version 2026.2.22 allows authenticated users to bypass device identity verification and assume a node role during WebSocket connections, enabling injection of unauthorized node events that trigger sensitive agent and voice transcript operations. An attacker with a shared gateway token can exploit this to perform actions without proper device pairing, potentially compromising system integrity and confidentiality. No patch is currently available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.1 contain a current working directory (cwd) injection vulnerability in Windows wrapper resolution for .cmd/.bat files that allows local attackers to manipulate command execution through directory control during shell fallback mechanisms. An authenticated local attacker with low privileges can exploit this vulnerability to achieve command execution integrity loss by controlling the working directory, potentially leading to unauthorized code execution or privilege escalation. While no active in-the-wild exploitation has been reported in KEV databases, the vulnerability is documented with a proof-of-concept available through the vendor's security advisory on GitHub.

Command Injection Microsoft Openclaw +1
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.1 contain a post-approval executable rebind vulnerability in the system.run approval mechanism that fails to pin executable identity when argv[0] is not a full path. An attacker with local access and low privileges can modify PATH environment variables after an operator approves a command execution to redirect the approval to execute a different binary, achieving arbitrary command execution with the privileges of the OpenClaw process. The vulnerability has a moderate CVSS score of 6.0 reflecting local attack vector and high privilege requirements, but poses significant risk in environments where approval workflows are relied upon for security boundaries.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

OpenClaw versions prior to 2026.2.19 contain an input validation bypass in the tools.exec.safeBins component that allows local attackers with command execution privileges to circumvent stdin-only restrictions and perform arbitrary filesystem operations. By exploiting sort output flags (specifically the -o flag for arbitrary file writes) or recursive grep flags (-R for recursive file reads), authenticated attackers can read sensitive files or overwrite critical files despite intended access controls. While the CVSS score of 3.6 is moderate and requires local access with low privileges, the vulnerability represents a privilege escalation or sandbox escape technique rather than a critical remote exploit.

Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.19 allow local attackers with limited privileges to execute arbitrary commands through the Lobster extension's Windows shell fallback mechanism by injecting malicious arguments into workflow processes. The vulnerability exploits cmd.exe command interpretation when spawn operations fail and trigger shell execution, enabling command injection with potential impact on system integrity and availability. A patch is available for affected versions.

Command Injection Microsoft Openclaw +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw contains a local command injection vulnerability in Windows scheduled task script generation that allows authenticated local attackers to inject arbitrary commands through unsafe handling of cmd metacharacters and CR/LF sequences in gateway.cmd files. OpenClaw versions prior to 2026.2.19 are affected. Attackers with control over service script generation arguments can execute unintended code in the scheduled task context with high impact to integrity and availability.

Command Injection Microsoft Openclaw +1
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

OpenClaw versions before 2026.2.22 contain an allowlist parsing flaw in the macOS companion app that enables authenticated operators with elevated privileges to bypass command execution controls and run arbitrary commands on paired hosts. The vulnerability affects systems with operator.write access and macOS beta nodes, allowing attackers to craft malicious shell-chain payloads that circumvent validation checks. A security patch is available.

Apple Authentication Bypass Openclaw +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw contains an allowlist bypass vulnerability in system.run guardrails that enables authenticated operators to execute arbitrary commands by exploiting the env -S flag when /usr/bin/env is allowlisted. The vulnerability affects all OpenClaw versions prior to 2026.2.23, allowing attackers with low-level privileges to bypass policy controls and execute shell wrapper payloads at runtime. No KEV status or public POC has been reported, though vendor patches are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in Signal group allowlist enforcement where the system incorrectly accepts sender identities derived from direct message (DM) pairing-store approvals. An authenticated attacker with low privileges can exploit this boundary weakness by obtaining DM pairing approval, allowing them to bypass group allowlist checks and gain unauthorized access to Signal groups. While the CVSS score is moderate (3.7) and attack complexity is high, the vulnerability represents a direct authentication control bypass in a messaging security context, and patches are available from the vendor.

Authentication Bypass Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.3.2 contain a symlink traversal vulnerability in the stageSandboxMedia function that fails to validate destination symlinks during media staging operations. This allows local attackers with low privileges to write files outside the intended sandbox workspace by placing malicious symlinks in the media/inbound directory, resulting in arbitrary file overwrite on the host system. A patch is available from the vendor, and the vulnerability was reported by VulnCheck with public references including a GitHub security advisory and commit fix.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

OpenClaw versions prior to 2026.3.1 contain a server-side request forgery (SSRF) vulnerability in the web_search citation redirect resolution component that permits requests to private network ranges. Authenticated attackers with low privileges can manipulate citation redirect targets to force the OpenClaw server to make requests to loopback addresses, private networks, or internal infrastructure, potentially accessing sensitive internal services or data. The vulnerability has a CVSS score of 7.4 with changed scope, indicating potential lateral movement beyond the vulnerable component.

SSRF Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

OpenClaw 2026.3.1 contains an approval integrity bypass vulnerability in the system.run node-host execution feature where attackers can rewrite command-line arguments (argv) to change the semantics of operator-approved commands. An authenticated local attacker with low privileges can place malicious scripts in the working directory to execute unintended code despite the operator approving different command text, resulting in high-impact confidentiality, integrity, and availability violations. A patch is available from the vendor, and no public exploit code has been widely reported, but the vulnerability represents a critical trust boundary violation in approval workflows.

Information Disclosure Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in its allow-always wrapper persistence mechanism that enables remote code execution. Attackers with high privileges and user interaction can approve benign wrapped system.run commands, then subsequently execute arbitrary different payloads without requiring additional approval, compromising both gateway and node-host execution environments. A patch is available from the vendor, and this vulnerability is tagged as enabling both RCE and command injection attacks.

RCE Command Injection Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

OpenClaw contains an unbounded memory growth vulnerability in its Zalo webhook endpoint that allows unauthenticated remote attackers to exhaust system memory through query string manipulation. OpenClaw versions prior to 2026.3.1 are affected. Attackers can send repeated HTTP requests with varying query parameters to trigger in-memory key accumulation, leading to memory pressure, process instability, or complete denial of service through out-of-memory conditions.

Denial Of Service Openclaw
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the system.run function that allows authenticated attackers to execute non-allowlisted commands by exploiting shell line-continuation characters to fold malicious command substitution past security controls. An attacker with low privileges (PR:L) can inject shell metacharacters (specifically $\ followed by newline and parenthesis within double quotes) to circumvent approval boundaries and execute arbitrary commands, resulting in integrity compromise and potential availability impact. A public advisory and patch are available from the vendor, though no EPSS score or KEV status was provided in the intelligence sources.

Command Injection Openclaw
NVD GitHub VulDB
Prev Page 5 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy