gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-22 09:51:21 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
26af277afd9a5bcb32cdbe9797d2fdae84dbb30f
clawsec/advisories/feed.json
T
github-actions[bot] 6c33384947 chore: CVE advisories - 0 new, 29 updated (#190) 
Automated update from NVD CVE feed.
Keywords: OpenClaw clawdbot Moltbot NanoClaw WhatsApp-bot baileys
Poll window: 2026-04-12T06:30:25Z to 2026-04-14T06:33:41.000Z

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-14 14:09:51 +03:00

10621 lines
532 KiB
JSON
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"version": "0.0.3",
"updated": "2026-04-14T06:34:22Z",
"description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.",
"advisories": [
{
"id": "CVE-2026-3691",
"severity": "medium",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnerability allows remote...",
"description": "OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose stored credentials on affected installations of OpenClaw. User interaction is required to exploit this vulnerability in that the target must initiate an OAuth authorization flow.\n\nThe specific flaw exists within the implementation of OAuth authorization. The issue results from the exposure of sensitive data in the authorization URL query string. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-29381.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-11T01:16:16.123",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp",
"https://www.zerodayinitiative.com/advisories/ZDI-26-229/"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3691",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-3690",
"severity": "high",
"type": "unknown_cwe_291",
"nvd_category_id": "CWE-291",
"title": "OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to b...",
"description": "OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-11T01:16:15.990",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf",
"https://www.zerodayinitiative.com/advisories/ZDI-26-228/"
],
"cvss_score": 7.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3690",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.4); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-3689",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulnerability allows remot...",
"description": "OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of OpenClaw. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the path parameters provided to the canvas gateway endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-29312.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-11T01:16:15.837",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jq4x-98m3-ggq6",
"https://www.zerodayinitiative.com/advisories/ZDI-26-227/"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3689",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35670",
"severity": "medium",
"type": "unknown_cwe_807",
"nvd_category_id": "CWE-807",
"title": "OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to r...",
"description": "OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered replies to different users, bypassing the intended recipient binding recorded in webhook events.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:09.413",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/7ade3553b74ee3f461c4acd216653d5ba411f455",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wv46-v6xc-2qhf"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35670",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35669",
"severity": "high",
"type": "unknown_cwe_648",
"nvd_category_id": "CWE-648",
"title": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plu...",
"description": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform unauthorized administrative actions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:09.240",
"references": [
"https://github.com/openclaw/openclaw/commit/ec2dbcff9afd8a52e00de054b506c91726d9fbbe",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qm2m-28pf-hgjw",
"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication-scope"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35669",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35668",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sa...",
"description": "OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:09.060",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg",
"https://www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters"
],
"cvss_score": 7.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35668",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.7); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35667",
"severity": "medium",
"type": "unknown_cwe_404",
"nvd_category_id": "CWE-404",
"title": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command...",
"description": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command uses an unpatched killProcessTree function from shell-utils.ts that sends SIGKILL immediately without graceful SIGTERM shutdown. Attackers can trigger process termination via the !stop command, causing data corruption, resource leaks, and skipped security-sensitive cleanup operations.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:08.883",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3298-56p6-rpw2",
"https://www.vulncheck.com/advisories/openclaw-improper-process-termination-via-unpatched-killprocesstree-in-shell-utils-ts"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35667",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35666",
"severity": "high",
"type": "unknown_cwe_706",
"nvd_category_id": "CWE-706",
"title": "OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fa...",
"description": "OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using an unregistered time wrapper to reuse approval state for inner commands.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:08.680",
"references": [
"https://github.com/openclaw/openclaw/commit/39409b6a6dd4239deea682e626bac9ba547bfb14",
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qm9x-v7cx-7rq4"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35666",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35665",
"severity": "medium",
"type": "unknown_cwe_405",
"nvd_category_id": "CWE-405",
"title": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook han...",
"description": "OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:08.437",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35665",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35664",
"severity": "medium",
"type": "unknown_cwe_288",
"nvd_category_id": "CWE-288",
"title": "OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface t...",
"description": "OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:08.240",
"references": [
"https://github.com/openclaw/openclaw/commit/81c45976db532324b5a0918a70decc19520dc354",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-77w2-crqv-cmv3",
"https://www.vulncheck.com/advisories/openclaw-dm-pairing-bypass-via-legacy-card-callbacks"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35664",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35663",
"severity": "high",
"type": "unknown_cwe_648",
"nvd_category_id": "CWE-648",
"title": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators...",
"description": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:08.047",
"references": [
"https://github.com/openclaw/openclaw/commit/d3d8e316bd819d3c7e34253aeb7eccb2510f5f48",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9hjh-fr4f-gxc4",
"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-backend-reconnect-scope-self-claim"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35663",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35662",
"severity": "medium",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "OpenClaw before 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing le...",
"description": "OpenClaw before 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing leaf subagents to message controlled child sessions beyond their authorized scope. Attackers can exploit this by using the send action to communicate with child sessions without proper scope validation, bypassing intended access control restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:07.867",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/7679eb375294941b02214c234aff3948796969d0",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-x2cm-hg9c-mf5w"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35662",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35661",
"severity": "medium",
"type": "unknown_cwe_288",
"nvd_category_id": "CWE-288",
"title": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query ...",
"description": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypass DM pairing and modify session state.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:07.687",
"references": [
"https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33",
"https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35661",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35660",
"severity": "high",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent...",
"description": "OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:07.493",
"references": [
"https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0",
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35660",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35659",
"severity": "medium",
"type": "unknown_cwe_345",
"nvd_category_id": "CWE-345",
"title": "OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour...",
"description": "OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour and DNS-SD could influence CLI routing even when actual service resolution failed. Attackers can exploit unresolved hints to steer routing decisions to unintended targets by providing malicious discovery metadata.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:07.277",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/deecf68b59a9b7eea978e40fd3c2fe543087b569",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rvqr-hrcc-j9vv"
],
"cvss_score": 4.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35659",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.6); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35658",
"severity": "medium",
"type": "exposure_of_resource_to_wrong_sphere",
"nvd_category_id": "CWE-668",
"title": "OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that ...",
"description": "OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:07.090",
"references": [
"https://github.com/openclaw/openclaw/commit/14baadda2c456f3cf749f1f97e8678746a34a7f4",
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35658",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35657",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sess...",
"description": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:06.913",
"references": [
"https://github.com/openclaw/openclaw/commit/1c45123231516fa50f8cf8522ba5ff2fb2ca7aea",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5jvj-hxmh-6h6j",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-http-session-history-route"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35657",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35656",
"severity": "medium",
"type": "unknown_cwe_290",
"nvd_category_id": "CWE-290",
"title": "OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For hea...",
"description": "OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For header processing when trustedProxies is configured, allowing attackers to spoof loopback hops. Remote attackers can inject forged forwarding headers to bypass canvas authentication and rate-limiting protections by masquerading as loopback clients.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:06.733",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-844j-xrrq-wgh4"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35656",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35655",
"severity": "medium",
"type": "unknown_cwe_807",
"nvd_category_id": "CWE-807",
"title": "OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP permission resolution t...",
"description": "OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP permission resolution that trusts conflicting tool identity hints from rawInput and metadata. Attackers can spoof tool identities through rawInput parameters to suppress dangerous-tool prompting and bypass security restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:06.550",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/e4c61723cd2d530680cc61789311d464ab8cdf60",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-74wf-h43j-vvmj"
],
"cvss_score": 5.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35655",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.7); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35654",
"severity": "medium",
"type": "unknown_cwe_288",
"nvd_category_id": "CWE-288",
"title": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback...",
"description": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or reflection.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:06.370",
"references": [
"https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35654",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35653",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profi...",
"description": "OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:06.170",
"references": [
"https://github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0",
"https://github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87a",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35653",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35652",
"severity": "medium",
"type": "unknown_cwe_696",
"nvd_category_id": "CWE-696",
"title": "OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dis...",
"description": "OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling unauthorized actions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:05.987",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8883-9w57-vwv6"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35652",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35651",
"severity": "medium",
"type": "unknown_cwe_150",
"nvd_category_id": "CWE-150",
"title": "OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerabilit...",
"description": "OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling attackers to manipulate displayed information through malicious tool titles.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:05.803",
"references": [
"https://github.com/openclaw/openclaw/commit/464e2c10a5edceb380d815adb6ff56e1a4c50f60",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4hmj-39m8-jwc7",
"https://www.vulncheck.com/advisories/openclaw-ansi-escape-sequence-injection-in-approval-prompt"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35651",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35650",
"severity": "high",
"type": "unknown_cwe_15",
"nvd_category_id": "CWE-15",
"title": "OpenClaw before 2026.3.22 contains an environment variable override handling vulnerability that allo...",
"description": "OpenClaw before 2026.3.22 contains an environment variable override handling vulnerability that allows attackers to bypass the shared host environment policy through inconsistent sanitization paths. Attackers can supply blocked or malformed override keys that slip through inconsistent validation to execute arbitrary code with unintended environment variables.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:05.627",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/7abfff756d6c68d17e21d1657bbacbaec86de232",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-39pp-xp36-q6mg"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35650",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35649",
"severity": "medium",
"type": "unknown_cwe_183",
"nvd_category_id": "CWE-183",
"title": "OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to ...",
"description": "OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access control denials and restoring previously revoked permissions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:05.437",
"references": [
"https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93",
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-pw7h-9g6p-c378"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35649",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35648",
"severity": "low",
"type": "unknown_cwe_367",
"nvd_category_id": "CWE-367",
"title": "OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not r...",
"description": "OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or declarations that survive policy tightening to execute unauthorized commands.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:05.253",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wj55-88gf-x564"
],
"cvss_score": 3.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35648",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35647",
"severity": "medium",
"type": "unknown_cwe_288",
"nvd_category_id": "CWE-288",
"title": "OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass...",
"description": "OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message transmission.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:05.077",
"references": [
"https://github.com/openclaw/openclaw/commit/2383daf5c4a4e08d9553e0e949552ad755ef9ec2",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9wqx-g2cw-vc7r",
"https://www.vulncheck.com/advisories/openclaw-direct-message-policy-bypass-via-verification-notices"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35647",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35643",
"severity": "high",
"type": "unknown_cwe_940",
"nvd_category_id": "CWE-940",
"title": "OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing...",
"description": "OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:04.887",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35643",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35641",
"severity": "high",
"type": "unknown_cwe_349",
"nvd_category_id": "CWE-349",
"title": "OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hoo...",
"description": "OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can leverage git dependencies to trigger execution of arbitrary programs specified in the attacker-controlled .npmrc configuration file.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:04.697",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation"
],
"cvss_score": 7.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35641",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.8); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35621",
"severity": "medium",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command...",
"description": "OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal command-authorized context and persist channel allowFrom and groupAllowFrom policy changes reserved for operator.admin scope.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:04.520",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-94pw-c6m8-p9p9",
"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-to-allowlist-persistence"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35621",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35620",
"severity": "medium",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist...",
"description": "OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce operator.admin scope. Attackers with operator.write scope can invoke /send on|off|inherit to persistently mutate the current session's sendPolicy, and execute /allowlist add commands to modify config-backed allowFrom entries and pairing-store allowlist entries without proper admin authorization.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:04.320",
"references": [
"https://github.com/openclaw/openclaw/commit/555b2578a8cc6e1b93f717496935ead97bfbed8b",
"https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2",
"https://github.com/openclaw/openclaw/commit/ea018a68ccb92dbc735bc1df9880d5c95c63ca35"
],
"cvss_score": 5.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35620",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.4); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35619",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endp...",
"description": "OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility route, bypassing the stricter WebSocket RPC authorization checks.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T17:17:04.140",
"references": [
"https://github.com/openclaw/openclaw/commit/06de515b6c42816b62ec752e1c221cab67b38501",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mp",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-http-v1-models-endpoint"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35619",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-6011",
"severity": "medium",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown f...",
"description": "A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2026.1.29 can resolve this issue. This patch is called b623557a2ec7e271bda003eb3ac33fbb2e218505. Upgrading the affected component is advised.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-10T05:16:06.757",
"references": [
"https://github.com/openclaw/openclaw/",
"https://github.com/openclaw/openclaw/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR44",
"https://github.com/openclaw/openclaw/releases/tag/v2026.1.29"
],
"cvss_score": 5.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6011",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.6); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35646",
"severity": "medium",
"type": "unknown_cwe_307",
"nvd_category_id": "CWE-307",
"title": "OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook t...",
"description": "OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:34.223",
"references": [
"https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm",
"https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation"
],
"cvss_score": 4.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35646",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35645",
"severity": "high",
"type": "unknown_cwe_648",
"nvd_category_id": "CWE-648",
"title": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subage...",
"description": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:34.050",
"references": [
"https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc",
"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35645",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35644",
"severity": "medium",
"type": "unknown_cwe_312",
"nvd_category_id": "CWE-312",
"title": "OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers wit...",
"description": "OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers with operator.read scope to expose credentials embedded in channel baseUrl and httpUrl fields. Attackers can access gateway snapshots via config.get and channels.status endpoints to retrieve sensitive authentication information from URL userinfo components.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:33.873",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/f0202264d0de7ad345382b9008c5963bcefb01b7",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-ppwq-6v66-5m6j"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35644",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35642",
"severity": "medium",
"type": "unknown_cwe_288",
"nvd_category_id": "CWE-288",
"title": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events...",
"description": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:33.697",
"references": [
"https://github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cede",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-group-reactions-via-requiremention-bypass"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35642",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35640",
"severity": "medium",
"type": "unknown_cwe_696",
"nvd_category_id": "CWE-696",
"title": "OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing ...",
"description": "OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:33.507",
"references": [
"https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35640",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35639",
"severity": "high",
"type": "unknown_cwe_648",
"nvd_category_id": "CWE-648",
"title": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve m...",
"description": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:33.317",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cq"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35639",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35638",
"severity": "high",
"type": "unknown_cwe_286",
"nvd_category_id": "CWE-286",
"title": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allow...",
"description": "OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:33.123",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/ccf16cd8892402022439346ae1d23352e3707e9e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35638",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35637",
"severity": "high",
"type": "unknown_cwe_696",
"nvd_category_id": "CWE-696",
"title": "OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization che...",
"description": "OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and content handling prior to final auth decisions. Attackers can exploit this timing vulnerability to access or manipulate content before proper authorization validation occurs.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:32.933",
"references": [
"https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93",
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/ebee4e2210e1f282a982c7ef2ad79d77a572fc87"
],
"cvss_score": 7.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35637",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35636",
"severity": "medium",
"type": "unknown_cwe_696",
"nvd_category_id": "CWE-696",
"title": "OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where...",
"description": "OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:32.750",
"references": [
"https://github.com/openclaw/openclaw/commit/d9810811b6c3c9266d7580f00574e5e02f7663de",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-q2qc-744p-66r2",
"https://www.vulncheck.com/advisories/openclaw-session-isolation-bypass-via-sessionid-resolution"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35636",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35635",
"severity": "medium",
"type": "unknown_cwe_706",
"nvd_category_id": "CWE-706",
"title": "OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Ch...",
"description": "OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:32.567",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q"
],
"cvss_score": 4.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35635",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35634",
"severity": "medium",
"type": "unknown_cwe_288",
"nvd_category_id": "CWE-288",
"title": "OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway wher...",
"description": "OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. Attackers can send unauthenticated loopback HTTP and WebSocket requests to Canvas routes to bypass authentication and gain unauthorized access.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:32.380",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/d5dc6b6573ae489bc7e5651090f4767b93537c9e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc"
],
"cvss_score": 5.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35634",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.1); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35633",
"severity": "medium",
"type": "unknown_cwe_789",
"nvd_category_id": "CWE-789",
"title": "OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP...",
"description": "OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send crafted HTTP error responses with large bodies to remote media endpoints, causing the application to allocate unbounded memory before failure handling occurs.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:32.187",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/81445a901091a5d27ef0b56fceedbe4724566438",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4qwc-c7g9-4xcw"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35633",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35632",
"severity": "high",
"type": "unknown_cwe_61",
"nvd_category_id": "CWE-61",
"title": "OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.up...",
"description": "OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers with workspace access can plant symlinks to append attacker-controlled content to arbitrary files, enabling remote code execution via crontab injection or unauthorized access via SSH key manipulation.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:32.003",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7xr2-q9vf-x4r5",
"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-via-identity-md-appendfile-in-agents-create-update"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35632",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35631",
"severity": "medium",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat comman...",
"description": "OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane actions by directly invoking affected ACP commands to bypass authorization gates.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:31.790",
"references": [
"https://github.com/openclaw/openclaw/commit/229426a257e49694a59fa4e3895861d02a4d767f",
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3w6x-gv34-mqpf"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35631",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35629",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel e...",
"description": "OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:31.603",
"references": [
"https://github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h",
"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions"
],
"cvss_score": 7.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35629",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.4); network accessible; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35628",
"severity": "medium",
"type": "unknown_cwe_307",
"nvd_category_id": "CWE-307",
"title": "OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authent...",
"description": "OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:31.423",
"references": [
"https://github.com/openclaw/openclaw/commit/c2c136ae9517ddd0789d742a0fdf4c10e8c729a7",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vcx4-4qxg-mfp4",
"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting"
],
"cvss_score": 4.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35628",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35627",
"severity": "medium",
"type": "unknown_cwe_696",
"nvd_category_id": "CWE-696",
"title": "OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct mes...",
"description": "OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:31.240",
"references": [
"https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77",
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35627",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35626",
"severity": "medium",
"type": "unknown_cwe_405",
"nvd_category_id": "CWE-405",
"title": "OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice cal...",
"description": "OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassing signature validation.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:31.047",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35626",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35625",
"severity": "high",
"type": "unknown_cwe_648",
"nvd_category_id": "CWE-648",
"title": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-au...",
"description": "OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve scope-upgrade requests, widening paired device permissions from operator.read to operator.admin. Attackers can exploit this by triggering local reconnection to silently escalate privileges and achieve remote code execution on the node.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:30.867",
"references": [
"https://github.com/openclaw/openclaw/commit/81ebc7e0344fd19c85778e883bad45e2da972229",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-fqw4-mph7-2vr8",
"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-silent-local-shared-auth-reconnect"
],
"cvss_score": 7.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35625",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.8); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35624",
"severity": "medium",
"type": "unknown_cwe_807",
"nvd_category_id": "CWE-807",
"title": "OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that match...",
"description": "OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:30.683",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xhq5-45pm-2gjr"
],
"cvss_score": 4.2,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35624",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.2); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35623",
"severity": "medium",
"type": "unknown_cwe_307",
"nvd_category_id": "CWE-307",
"title": "OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication t...",
"description": "OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password guesses to the webhook endpoint to compromise authentication and gain unauthorized access.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:30.530",
"references": [
"https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv",
"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting"
],
"cvss_score": 4.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35623",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35622",
"severity": "medium",
"type": "unknown_cwe_290",
"nvd_category_id": "CWE-290",
"title": "OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google C...",
"description": "OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on principals to execute unauthorized actions through the Google Chat integration.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:30.340",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mp66-rf4f-mhh8"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35622",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35618",
"severity": "medium",
"type": "unknown_cwe_294",
"nvd_category_id": "CWE-294",
"title": "OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verificatio...",
"description": "OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:30.143",
"references": [
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35618",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-35617",
"severity": "medium",
"type": "unknown_cwe_807",
"nvd_category_id": "CWE-807",
"title": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy...",
"description": "OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:29.950",
"references": [
"https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname"
],
"cvss_score": 4.2,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35617",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.2); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-34512",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:s...",
"description": "OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-09T22:16:29.757",
"references": [
"https://github.com/openclaw/openclaw/commit/02cf12371f9353a16455da01cc02e6c4ecfc4152",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9p93-7j67-5pc2",
"https://www.vulncheck.com/advisories/openclaw-improper-access-control-in-sessions-sessionkey-kill-endpoint"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34512",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-40037",
"severity": "medium",
"type": "open_redirect",
"nvd_category_id": "CWE-601",
"title": "OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetc...",
"description": "OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-08T22:16:24.370",
"references": [
"https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m",
"https://www.vulncheck.com/advisories/openclaw-unsafe-request-body-replay-via-fetchwithssrfguard-cross-origin-redirects"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40037",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-34511",
"severity": "medium",
"type": "unknown_cwe_330",
"nvd_category_id": "CWE-330",
"title": "OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth f...",
"description": "OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-03T21:17:11.517",
"references": [
"https://github.com/openclaw/openclaw/commit/a26f4d0f3ef0757db6c6c40277cc06a5de76c52f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf",
"https://www.vulncheck.com/advisories/openclaw-pkce-verifier-exposure-via-oauth-state-parameter"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34511",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-34426",
"severity": "high",
"type": "unknown_cwe_184",
"nvd_category_id": "CWE-184",
"title": "OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsiste...",
"description": "OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment variables into execution without approval system validation. Attackers can exploit differing normalization logic to discard non-portable keys during approval processing while accepting them at execution time, bypassing operator review and potentially influencing runtime behavior including execution of attacker-controlled binaries.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-02T19:21:31.727",
"references": [
"https://github.com/openclaw/openclaw/commit/b57b680c0c34de907d57f60c38fb358e82aef8f7",
"https://github.com/openclaw/openclaw/pull/59182",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-98ch-45wp-ch47"
],
"cvss_score": 7.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34426",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.6); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-34425",
"severity": "medium",
"type": "unknown_cwe_184",
"nvd_category_id": "CWE-184",
"title": "OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in she...",
"description": "OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-02T19:21:31.507",
"references": [
"https://github.com/openclaw/openclaw/commit/8aceaf5d0f0ec552b75a792f7f0a3bfa5b091513",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-fvx6-pj3r-5q4q",
"https://www.vulncheck.com/advisories/openclaw-shell-bleed-protection-preflight-validation-bypass"
],
"cvss_score": 5.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34425",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.4); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-34510",
"severity": "medium",
"type": "unknown_cwe_41",
"nvd_category_id": "CWE-41",
"title": "OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that acce...",
"description": "OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file targets that are treated as local content, bypassing intended access restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-04-01T16:23:50.567",
"references": [
"https://github.com/openclaw/openclaw/commit/4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5",
"https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87",
"https://github.com/openclaw/openclaw/commit/93880717f1cd34feaa45e74e939b7a5256288901"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34510",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-34504",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider i...",
"description": "OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadata and responses through the image pipeline.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T15:16:19.687",
"references": [
"https://github.com/openclaw/openclaw/commit/80d1e8a11a2ac118c7f7a70bba9c862b6141d928",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qxgf-hmcj-3xw3",
"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-image-download-in-fal-provider"
],
"cvss_score": 8.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34504",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.3); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-34503",
"severity": "high",
"type": "unknown_cwe_613",
"nvd_category_id": "CWE-613",
"title": "OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or ...",
"description": "OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T15:16:19.470",
"references": [
"https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv",
"https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34503",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-33581",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows at...",
"description": "OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T15:16:15.373",
"references": [
"https://github.com/openclaw/openclaw/commit/1d7cb6fc03552bbba00e7cffb3aa9741f5556416",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-mediaurl-and-fileurl-parameters"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33581",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-33580",
"severity": "medium",
"type": "unknown_cwe_307",
"nvd_category_id": "CWE-307",
"title": "OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webho...",
"description": "OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T15:16:15.170",
"references": [
"https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp",
"https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33580",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-33579",
"severity": "critical",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command...",
"description": "OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and src/infra/device-pairing.ts.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T15:16:14.960",
"references": [
"https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-hc5h-pmr3-3497",
"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-missing-caller-scope-validation-in-device-pair-approval"
],
"cvss_score": 9.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33579",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-33578",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalou...",
"description": "OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T15:16:14.757",
"references": [
"https://github.com/openclaw/openclaw/commit/e64a881ae0fb8af18e451163f4c2d611d60cc8e4",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-63mg-xp9j-jfcm",
"https://www.vulncheck.com/advisories/openclaw-sender-policy-allowlist-bypass-via-policy-downgrade-in-google-chat-and-zalouser-extensions"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33578",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-33577",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairin...",
"description": "OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired nodes beyond their authorization level.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T15:16:14.530",
"references": [
"https://github.com/openclaw/openclaw/commit/4d7cc6bb4fac68b5a5fadd1c5a23168281221f34",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2x4x-cc5g-qmmg",
"https://www.vulncheck.com/advisories/openclaw-insufficient-scope-validation-in-node-pair-approve"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33577",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-33576",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating se...",
"description": "OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T15:16:14.327",
"references": [
"https://github.com/openclaw/openclaw/commit/68ceaf7a5f64a23e78b95eff055e4b497218312a",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v2v2-f783-358j",
"https://www.vulncheck.com/advisories/openclaw-unauthorized-media-download-via-zalo-channel"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33576",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-34506",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plu...",
"description": "OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:30.440",
"references": [
"https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq",
"https://www.vulncheck.com/advisories/openclaw-sender-allowlist-bypass-in-microsoft-teams-plugin-via-route-allowlist-configuration"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34506",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-34505",
"severity": "medium",
"type": "unknown_cwe_307",
"nvd_category_id": "CWE-307",
"title": "OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowi...",
"description": "OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling systematic secret guessing and subsequent forged webhook submission.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:30.237",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5m9r-p9g7-679c",
"https://www.vulncheck.com/advisories/openclaw-webhook-rate-limiting-bypass-via-pre-authentication-secret-validation"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34505",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32988",
"severity": "high",
"type": "unknown_cwe_367",
"nvd_category_id": "CWE-367",
"title": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged write...",
"description": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path alias changes to write attacker-controlled bytes outside the intended validated path before the final guarded replace step executes.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:30.047",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj4p-rc52-m843",
"https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-unvalidated-temporary-file-creation"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32988",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (7.5); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32982",
"severity": "high",
"type": "unknown_cwe_532",
"nvd_category_id": "CWE-532",
"title": "OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia f...",
"description": "OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to logs and error surfaces.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:29.850",
"references": [
"https://github.com/openclaw/openclaw/commit/7a53eb7ea8295b08be137e231c9a98c1a79b5cd5",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xwcj-hwhf-h378",
"https://www.vulncheck.com/advisories/openclaw-telegram-bot-token-exposure-in-media-fetch-error-logs"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32982",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32977",
"severity": "medium",
"type": "unknown_cwe_367",
"nvd_category_id": "CWE-367",
"title": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFil...",
"description": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race condition by modifying parent paths inside the sandbox to redirect committed files outside the validated writable path within the container mount namespace.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:29.660",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xvx8-77m6-gwg6",
"https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-unanchored-writefile-commit-path"
],
"cvss_score": 6.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32977",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.3); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32976",
"severity": "medium",
"type": "insecure_direct_object_reference",
"nvd_category_id": "CWE-639",
"title": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands t...",
"description": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one account can execute channel commands like /config set channels.<provider>.accounts.<id> to modify configuration on target accounts with configWrites: false.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:29.470",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8jhh-jcqg-mj5p",
"https://www.vulncheck.com/advisories/openclaw-account-scoped-configwrites-policy-bypass-via-channel-commands"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32976",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32971",
"severity": "high",
"type": "unknown_cwe_451",
"nvd_category_id": "CWE-451",
"title": "OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run appro...",
"description": "OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operators approve misleading command text.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:29.280",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rw39-5899-8mxp",
"https://www.vulncheck.com/advisories/openclaw-node-host-approval-ui-mismatch-allows-execution-of-unintended-commands"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32971",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32970",
"severity": "low",
"type": "unknown_cwe_636",
"nvd_category_id": "CWE-636",
"title": "OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gatew...",
"description": "OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can exploit misconfigured local auth references to cause CLI and helper paths to select incorrect credential sources, potentially bypassing intended local authentication boundaries.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:29.113",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qvr7-g57c-mrc7",
"https://www.vulncheck.com/advisories/openclaw-credential-fallback-logic-bypass-via-unavailable-local-auth-secretrefs"
],
"cvss_score": 2.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32970",
"exploitability_score": "high",
"exploitability_rationale": "Low CVSS score (2.5); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32921",
"severity": "medium",
"type": "unknown_cwe_367",
"nvd_category_id": "CWE-367",
"title": "OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable scrip...",
"description": "OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute different content while maintaining the same approved command shape.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:28.920",
"references": [
"https://github.com/openclaw/openclaw/commit/c76d29208bf6a7f058d2cf582519d28069e42240",
"https://github.com/openclaw/openclaw/commit/cf3a479bd1204f62eef7dd82b4aa328749ae6c91",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8g75-q649-6pv6"
],
"cvss_score": 6.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32921",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32920",
"severity": "high",
"type": "unknown_cwe_829",
"nvd_category_id": "CWE-829",
"title": "OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ witho...",
"description": "OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute when users run OpenClaw from the directory.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:28.727",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-99qw-6mr3-36qr",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-auto-discovery-of-workspace-plugins"
],
"cvss_score": 8.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32920",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32917",
"severity": "critical",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachme...",
"description": "OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote attachment paths containing shell metacharacters are passed directly to the SCP remote operand without validation, enabling command execution when remote attachment staging is enabled.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:28.487",
"references": [
"https://github.com/openclaw/openclaw/commit/a54bf71b4c0cbe554a84340b773df37ee8e959de",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g2f6-pwvx-r275",
"https://www.vulncheck.com/advisories/openclaw-remote-command-injection-via-unsanitized-imessage-attachment-paths-in-scp"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32917",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32916",
"severity": "critical",
"type": "unknown_cwe_266",
"nvd_category_id": "CWE-266",
"title": "OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plug...",
"description": "OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent methods to perform privileged gateway actions including session deletion and agent execution.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-31T12:16:28.197",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xw77-45gv-p728",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-plugin-subagent-routes-via-synthetic-admin-scopes"
],
"cvss_score": 9.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32916",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.4); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-33575",
"severity": "high",
"type": "unknown_cwe_522",
"nvd_category_id": "CWE-522",
"title": "OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup cod...",
"description": "OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to leaked setup codes from chat history, logs, or screenshots can recover and reuse the shared gateway credential outside the intended one-time pairing flow.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:03.370",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7h7g-x2px-94hj",
"https://www.vulncheck.com/advisories/openclaw-long-lived-credential-exposure-in-pairing-setup-codes"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33575",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-33574",
"severity": "medium",
"type": "unknown_cwe_367",
"nvd_category_id": "CWE-367",
"title": "OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer th...",
"description": "OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the installer outside the intended tools directory.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:03.173",
"references": [
"https://github.com/openclaw/openclaw/commit/9abf014f3502009faf9c73df5ca2cff719e54639",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vhwf-4x96-vqx2",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-via-tools-root-rebinding-in-skills-download"
],
"cvss_score": 6.2,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33574",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.2); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-33573",
"severity": "high",
"type": "exposure_of_resource_to_wrong_sphere",
"nvd_category_id": "CWE-668",
"title": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC th...",
"description": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operators with operator.write permission to override workspace boundaries by supplying attacker-controlled spawnedBy and workspaceDir values. Remote operators can escape the configured workspace boundary and execute arbitrary file and exec operations from any process-accessible directory.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:02.980",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2rqg-gjgv-84jm",
"https://www.vulncheck.com/advisories/openclaw-workspace-boundary-bypass-via-agent-rpc-parameters"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33573",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-33572",
"severity": "high",
"type": "unknown_cwe_378",
"nvd_category_id": "CWE-378",
"title": "OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissio...",
"description": "OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:02.770",
"references": [
"https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp",
"https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files"
],
"cvss_score": 8.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33572",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (8.4); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32987",
"severity": "critical",
"type": "unknown_cwe_294",
"nvd_category_id": "CWE-294",
"title": "OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verifica...",
"description": "OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times before approval to escalate pending pairing scopes, including privilege escalation to operator.admin.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:02.563",
"references": [
"https://github.com/openclaw/openclaw/commit/1803d16d5cec970c54b0e1ac46b31b1cbade335c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-63f5-hhc7-cx6p",
"https://www.vulncheck.com/advisories/openclaw-bootstrap-setup-code-replay-via-device-pairing"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32987",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32980",
"severity": "high",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-...",
"description": "OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send POST requests to the webhook endpoint to force memory consumption, socket time, and JSON parsing work before authentication validation occurs.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:02.353",
"references": [
"https://github.com/openclaw/openclaw/commit/7e49e98f79073b11134beac27fdff547ba5a4a02",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jq3f-vjww-8rq7",
"https://www.vulncheck.com/advisories/openclaw-resource-exhaustion-via-unauthenticated-telegram-webhook-request"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32980",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32979",
"severity": "high",
"type": "unknown_cwe_367",
"nvd_category_id": "CWE-367",
"title": "OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute...",
"description": "OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file binding cannot occur. Remote attackers can change approved local scripts before execution to achieve unintended code execution as the OpenClaw runtime user.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:02.157",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xf99-j42q-5w5p",
"https://www.vulncheck.com/advisories/openclaw-unbound-interpreter-and-runtime-commands-bypass-in-node-host-approval"
],
"cvss_score": 7.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32979",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (7.3); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32978",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fa...",
"description": "OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. Attackers can obtain approval for benign script commands, rewrite referenced scripts on disk, and execute modified code under the approved run context.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:01.963",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qc36-x95h-7j53",
"https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-unrecognized-script-runners"
],
"cvss_score": 8.0,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32978",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.0); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32975",
"severity": "critical",
"type": "unknown_cwe_807",
"nvd_category_id": "CWE-807",
"title": "OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode tha...",
"description": "OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages from unintended groups to the agent.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:01.763",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-f5mf-3r52-r83w",
"https://www.vulncheck.com/advisories/openclaw-weak-authorization-via-mutable-group-names-in-zalouser-allowlist"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32975",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32974",
"severity": "high",
"type": "unknown_cwe_347",
"nvd_category_id": "CWE-347",
"title": "OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode whe...",
"description": "OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated network attackers can inject forged Feishu events and trigger downstream tool execution by reaching the webhook endpoint.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:01.570",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g353-mgv3-8pcj",
"https://www.vulncheck.com/advisories/openclaw-forged-event-injection-via-feishu-webhook-verification-token"
],
"cvss_score": 8.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32974",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.6); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32973",
"severity": "critical",
"type": "unknown_cwe_625",
"nvd_category_id": "CWE-625",
"title": "OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlist...",
"description": "OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers can exploit the ? wildcard matching across path segments to execute commands or paths not intended by operators.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:01.367",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-f8r2-vg7x-gh8m",
"https://www.vulncheck.com/advisories/openclaw-exec-allowlist-pattern-overmatch-via-posix-path-normalization"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32973",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32972",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing authenticated oper...",
"description": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing authenticated operators with only operator.write permission to access admin-only browser profile management routes through browser.request. Attackers can create or modify browser profiles and persist attacker-controlled remote CDP endpoints to disk without holding operator.admin privileges.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:01.167",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vmhq-cqm9-6p7q",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-browser-profile-management-via-browser-request"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32972",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32924",
"severity": "critical",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction event...",
"description": "OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chat_type are misclassified as p2p conversations instead of group chats. Attackers can exploit this misclassification to bypass groupAllowFrom and requireMention protections in group chat reaction-derived events.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:00.963",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-m69h-jm2f-2pv8",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-misclassified-reaction-events-in-feishu"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32924",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32923",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in Discord guild reaction i...",
"description": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in Discord guild reaction ingestion that fails to enforce member users and roles allowlist checks. Non-allowlisted guild members can trigger reaction events accepted as trusted system events, injecting reaction text into downstream session context.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:00.767",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9vvh-2768-c8vp",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-discord-guild-reaction-allowlist-enforcement"
],
"cvss_score": 5.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32923",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.4); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32922",
"severity": "critical",
"type": "unknown_cwe_266",
"nvd_category_id": "CWE-266",
"title": "OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that ...",
"description": "OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current scope set. Attackers can obtain operator.admin tokens for paired devices and achieve remote code execution on connected nodes via system.run or gain unauthorized gateway-admin access.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:00.573",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4jpw-hj22-2xmc",
"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unvalidated-scope-in-device-token-rotate"
],
"cvss_score": 9.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32922",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.9); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32919",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped calle...",
"description": "OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped callers to reach admin-only session reset logic. Attackers with operator.write scope can issue agent requests containing /new or /reset slash commands to reset targeted conversation state without holding operator.admin privileges.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:00.380",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jf6w-m8jw-jfxc",
"https://www.vulncheck.com/advisories/openclaw-unauthorized-session-reset-via-agent-slash-commands"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32919",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32918",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool...",
"description": "OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including persisted model overrides.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:17:00.173",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wcxr-59v9-rxr8",
"https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool"
],
"cvss_score": 8.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32918",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (8.4); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32915",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents t...",
"description": "OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents to access the subagents control surface and resolve against parent requester scope instead of their own session tree. A low-privilege sandboxed leaf worker can steer or kill sibling runs and cause execution with broader tool policies by exploiting insufficient authorization checks on subagent control requests.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:16:59.973",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4w7m-58cg-cmff",
"https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-subagent-control-surface"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32915",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (8.8); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32914",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw before 2026.3.12 contains an insufficient access control vulnerability in the /config and /...",
"description": "OpenClaw before 2026.3.12 contains an insufficient access control vulnerability in the /config and /debug command handlers that allows command-authorized non-owners to access owner-only surfaces. Attackers with command authorization can read or modify privileged configuration settings restricted to owners by exploiting missing owner-level permission checks.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-29T13:16:59.767",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r7vr-gr74-94p8",
"https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-config-and-debug-endpoints"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32914",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32846",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in medi...",
"description": "OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-26T17:16:37.640",
"references": [
"https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37",
"https://github.com/openclaw/openclaw/pull/54642",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32846",
"exploitability_score": "unknown",
"exploitability_rationale": "No CVSS score available; requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "unknown"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32913",
"severity": "critical",
"type": "unknown_cwe_522",
"nvd_category_id": "CWE-522",
"title": "OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard ...",
"description": "OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-23T22:16:30.433",
"references": [
"https://github.com/openclaw/openclaw/commit/46715371b0612a6f9114dffd1466941ac476cef5",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6mgf-v5j7-45cr",
"https://vulncheck.com/advisories/openclaw-mar-custom-authorization-header-leakage-via-cross-origin-redirects"
],
"cvss_score": 9.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32913",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.3); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27646",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command...",
"description": "OpenClaw versions prior to 2026.3.7 contain a sandbox escape vulnerability in the /acp spawn command that allows authorized sandboxed sessions to initialize host-side ACP runtime. Attackers can bypass sandbox restrictions by invoking the /acp spawn slash-command to cross from sandboxed chat context into host-side ACP session initialization when ACP is enabled.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-23T22:16:25.660",
"references": [
"https://github.com/openclaw/openclaw/commit/61000b8e4ded919ca1a825d4700db4cb3fdc56e3",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9q36-67vc-rrwg",
"https://vulncheck.com/advisories/openclaw-mar-sandbox-escape-via-acp-spawn-command"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27646",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.3); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27183",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.r...",
"description": "OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactly four transparent dispatch wrappers like repeated env invocations before /bin/sh -c to bypass security=allowlist approval gating by misaligning classification with execution planning.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-23T22:16:25.443",
"references": [
"https://github.com/openclaw/openclaw/commit/2fc95a7cfc1eb9306356510b0251b6d51fb1c0b0",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r6qf-8968-wj9q",
"https://vulncheck.com/advisories/openclaw-mar-shell-approval-gating-bypass-via-dispatch-wrapper-depth-mismatch"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27183",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.5); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32899",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* a...",
"description": "OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from restricted senders.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:11.067",
"references": [
"https://github.com/openclaw/openclaw/commit/75dfb71e4e8b7c2feba5a8ca662f92ea840e0147",
"https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rm2p-j3r7-4x4j"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32899",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32898",
"severity": "medium",
"type": "unknown_cwe_807",
"nvd_category_id": "CWE-807",
"title": "OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client...",
"description": "OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to reach auto-approve paths.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:10.870",
"references": [
"https://github.com/openclaw/openclaw/commit/12cc754332f9a7c92e158ce7644aa22df79c0904",
"https://github.com/openclaw/openclaw/commit/63dcd28ae0be2de1c75af09cc81841cebeec068f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7jx5-9fjg-hp4m"
],
"cvss_score": 5.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32898",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.4); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32897",
"severity": "low",
"type": "unknown_cwe_320",
"nvd_category_id": "CWE-320",
"title": "OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID...",
"description": "OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to system prompts sent to third-party model providers can derive the gateway authentication token from the hash outputs, compromising gateway authentication security.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:10.673",
"references": [
"https://github.com/openclaw/openclaw/commit/c99e7696e6893083b256f0a6c88fb060f3a76fb7",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v6x2-2qvm-6gv8",
"https://www.vulncheck.com/advisories/openclaw-authentication-token-reuse-in-owner-id-prompt-hashing-fallback"
],
"cvss_score": 3.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32897",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32896",
"severity": "medium",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback au...",
"description": "OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:10.510",
"references": [
"https://github.com/openclaw/openclaw/commit/283029bdea23164ab7482b320cb420d1b90df806",
"https://github.com/openclaw/openclaw/commit/6b2f2811dc623e5faaf2f76afaa9279637174590",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm"
],
"cvss_score": 4.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32896",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32895",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subt...",
"description": "OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted senders through message_changed, message_deleted, and thread_broadcast events.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:10.303",
"references": [
"https://github.com/openclaw/openclaw/commit/3d30ba18a2aba1e1b302e77ff33145c3b06c01c8",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cg-4474-49v8",
"https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-in-slack-system-event-handlers"
],
"cvss_score": 5.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32895",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.4); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32067",
"severity": "low",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-s...",
"description": "OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:10.093",
"references": [
"https://github.com/openclaw/openclaw/commit/a0c5e28f3bf0cc0cd9311f9e9ec2ca0352550dcf",
"https://github.com/openclaw/openclaw/commit/bce643a0bd145d3e9cb55400af33bd1b85baeb02",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vjp8-wprm-2jw9"
],
"cvss_score": 3.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32067",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.7); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32065",
"severity": "medium",
"type": "unknown_cwe_436",
"nvd_category_id": "CWE-436",
"title": "OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.ru...",
"description": "OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to execute a different binary than what the approver displayed, allowing unexpected command execution under the OpenClaw runtime user when they can influence command argv and reuse an approval context.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:09.893",
"references": [
"https://github.com/openclaw/openclaw/commit/03e689fc89bbecbcd02876a95957ef1ad9caa176",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-hwpq-rrpf-pgcq",
"https://www.vulncheck.com/advisories/openclaw-approval-identity-mismatch-in-system-run-command-execution"
],
"cvss_score": 4.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32065",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32064",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authenticati...",
"description": "OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:09.697",
"references": [
"https://github.com/openclaw/openclaw/commit/621d8e1312482f122f18c43c72c67211b141da01",
"https://github.com/openclaw/openclaw/commit/8c1518f0f3e0533593cd2dec3a46c9b746753661",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph"
],
"cvss_score": 7.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32064",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (7.7); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32058",
"severity": "low",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run exec...",
"description": "OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:09.500",
"references": [
"https://github.com/openclaw/openclaw/commit/10481097f8e6dd0346db9be0b5f27570e1bdfcfa",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-hjvp-qhm6-wrh2",
"https://www.vulncheck.com/advisories/openclaw-approval-context-binding-weakness-in-system-run-via-host-node"
],
"cvss_score": 2.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32058",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (2.6); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32057",
"severity": "high",
"type": "unknown_cwe_807",
"nvd_category_id": "CWE-807",
"title": "OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-p...",
"description": "OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier to skip pairing requirements and gain unauthorized access to node event execution flows.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:09.310",
"references": [
"https://github.com/openclaw/openclaw/commit/ec45c317f5d0631a3d333b236da58c4749ede2a3",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vvgp-4c28-m3jm",
"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-control-ui-client-id-parameter"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32057",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32056",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and Z...",
"description": "OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:09.103",
"references": [
"https://github.com/openclaw/openclaw/commit/c2c7114ed39a547ab6276e1e933029b9530ee906",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg",
"https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shell-startup-environment-variable-injection-in-system-run"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32056",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32055",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary va...",
"description": "OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to non-existent out-of-root targets. The vulnerability exists because the boundary check improperly resolves aliases, permitting the first write operation to escape the workspace boundary and create files in arbitrary locations.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:08.903",
"references": [
"https://github.com/openclaw/openclaw/commit/1aef45bc060b28a0af45a67dc66acd36aef763c9",
"https://github.com/openclaw/openclaw/commit/46eba86b45e9db05b7b792e914c4fe0de1b40a23",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mgrq-9f93-wpp5"
],
"cvss_score": 7.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32055",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.6); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32054",
"severity": "medium",
"type": "unknown_cwe_59",
"nvd_category_id": "CWE-59",
"title": "OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and ...",
"description": "OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp directory, enabling arbitrary file overwrite on the affected system.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:08.703",
"references": [
"https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r",
"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32054",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32053",
"severity": "medium",
"type": "unknown_cwe_294",
"nvd_category_id": "CWE-294",
"title": "OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication w...",
"description": "OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:08.503",
"references": [
"https://github.com/openclaw/openclaw/commit/1d28da55a5d0ff409e34999e0961157e9db0a2ab",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vqx8-9xxw-f2m7",
"https://www.vulncheck.com/advisories/openclaw-twilio-webhook-replay-bypass-via-randomized-event-id-normalization"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32053",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32052",
"severity": "medium",
"type": "unknown_cwe_436",
"nvd_category_id": "CWE-436",
"title": "OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run she...",
"description": "OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands through trailing positional arguments that bypass display context validation.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:08.287",
"references": [
"https://github.com/openclaw/openclaw/commit/0f0a680d3df81739ea5088a2f88e65f938b7936b",
"https://github.com/openclaw/openclaw/commit/55cf92578d266987e390c4bf688196af98eac748",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6rcp-vxwf-3mfp"
],
"cvss_score": 6.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32052",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.4); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32051",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows auth...",
"description": "OpenClaw versions prior to 2026.3.1 contain an authorization mismatch vulnerability that allows authenticated callers with operator.write scope to invoke owner-only tool surfaces including gateway and cron through agent runs in scoped-token deployments. Attackers with write-scope access can perform control-plane actions beyond their intended authorization level by exploiting inconsistent owner-only gating during agent execution.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:08.087",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jr6x-2q95-fh2g",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-agent-runs-via-owner-only-tool-access"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32051",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32050",
"severity": "low",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction noti...",
"description": "OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without proper DM or group access validation.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:07.897",
"references": [
"https://github.com/openclaw/openclaw/commit/2aa7842adeedef423be7ce283a9144b9f1a0a669",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-792q-qw95-f446",
"https://www.vulncheck.com/advisories/openclaw-unauthorized-reaction-status-event-enqueue-via-access-check-bypass"
],
"cvss_score": 3.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32050",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32049",
"severity": "high",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limi...",
"description": "OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:07.700",
"references": [
"https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-inbound-media-download-byte-limit-bypass"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32049",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32048",
"severity": "high",
"type": "incorrect_permission_assignment",
"nvd_category_id": "CWE-732",
"title": "OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_...",
"description": "OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:07.510",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-p7gr-f84w-hqg5",
"https://www.vulncheck.com/advisories/openclaw-sandbox-escape-via-cross-agent-sessions-spawn"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32048",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32046",
"severity": "medium",
"type": "unknown_cwe_1188",
"nvd_category_id": "CWE-1188",
"title": "OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that al...",
"description": "OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protections in the Chromium browser container to achieve code execution on the host system.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:07.313",
"references": [
"https://github.com/openclaw/openclaw/commit/1835dec2004fe7a62c6a7ba46b8485f124ec6199",
"https://github.com/openclaw/openclaw/commit/e7eba01efc4c3c400e9cfd3ce3d661cbc788a631",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-43x4-g22p-3hrq"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32046",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32045",
"severity": "medium",
"type": "unknown_cwe_290",
"nvd_category_id": "CWE-290",
"title": "OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to ...",
"description": "OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:07.140",
"references": [
"https://github.com/openclaw/openclaw/commit/356d61aacfa5b0f1d5830716ec59d70682a3e7b8",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-hff7-ccv5-52f8",
"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-in-http-gateway-routes-via-tokenless-tailscale-auth"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32045",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32044",
"severity": "medium",
"type": "unknown_cwe_409",
"nvd_category_id": "CWE-409",
"title": "OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 insta...",
"description": "OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:06.950",
"references": [
"https://github.com/openclaw/openclaw/commit/0dbb92dd2bcf9a32379d11c0f11ed016669dae3e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-77hf-7fqf-f227",
"https://www.vulncheck.com/advisories/openclaw-tar-archive-safety-bypass-in-skills-installation"
],
"cvss_score": 5.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32044",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.5); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32043",
"severity": "medium",
"type": "unknown_cwe_367",
"nvd_category_id": "CWE-367",
"title": "OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-b...",
"description": "OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:06.747",
"references": [
"https://github.com/openclaw/openclaw/commit/f789f880c934caa8be25b38832f27f90f37903db",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mwcg-wfq3-4gjc",
"https://www.vulncheck.com/advisories/openclaw-time-of-check-time-of-use-via-mutable-symlink-in-system-run-cwd-parameter"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32043",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32042",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing...",
"description": "OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with valid shared gateway authentication can present a self-signed unpaired device identity to request and obtain higher operator scopes before pairing approval is granted.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-21T01:17:06.547",
"references": [
"https://github.com/openclaw/openclaw/commit/8d1481cb4a9d31bd617e52dc8c392c35689d9dea",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-553v-f69r-656j",
"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unpaired-device-identity-in-shared-gateway-authentication"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32042",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22172",
"severity": "critical",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket ...",
"description": "OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated scopes without server-side binding. Attackers can exploit this logic flaw to present unauthorized scopes such as operator.admin and perform admin-only gateway operations.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-20T15:16:15.490",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rqpp-rjj8-7wv8",
"https://www.vulncheck.com/advisories/openclaw-scope-elevation-in-websocket-shared-auth-connections"
],
"cvss_score": 9.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22172",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32041",
"severity": "medium",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during s...",
"description": "OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evaluate-capable actions without valid credentials.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:40.643",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vpj2-69hf-rppw",
"https://www.vulncheck.com/advisories/openclaw-unauthenticated-browser-control-access-via-failed-auth-bootstrap"
],
"cvss_score": 6.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32041",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.9); requires local access; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32040",
"severity": "medium",
"type": "cross_site_scripting",
"nvd_category_id": "CWE-79",
"title": "OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exp...",
"description": "OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType attributes that break out of the img src data-URL context to achieve cross-site scripting when exported HTML is opened.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:40.420",
"references": [
"https://github.com/openclaw/openclaw/pull/24140",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2ww6-868g-2c56",
"https://www.vulncheck.com/advisories/openclaw-html-injection-via-unvalidated-image-mime-type-in-data-url-interpolation"
],
"cvss_score": 4.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32040",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.6); requires local access; XSS has limited impact in headless agents",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32039",
"severity": "medium",
"type": "insecure_direct_object_reference",
"nvd_category_id": "CWE-639",
"title": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySen...",
"description": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutable identity values such as senderName or senderUsername to bypass sender-authorization policies and gain unauthorized access to privileged tools.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:40.207",
"references": [
"https://github.com/openclaw/openclaw/commit/5547a2275cb69413af3b62c795b93214fe913b57",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39",
"https://www.vulncheck.com/advisories/openclaw-sender-authorization-bypass-via-identity-collision-in-toolsbysender"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32039",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32038",
"severity": "critical",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trus...",
"description": "OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container:<id> values to reach services in target container namespaces and bypass network hardening controls.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:39.997",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-ww6v-v748-x7g9",
"https://www.vulncheck.com/advisories/openclaw-sandbox-network-isolation-bypass-via-docker-network-container-parameter"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32038",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32037",
"severity": "medium",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configure...",
"description": "OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundary controls.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:39.790",
"references": [
"https://github.com/openclaw/openclaw/commit/73d93dee64127a26f1acd09d0403b794cdeb4f5c",
"https://github.com/openclaw/openclaw/commit/b34097f62df9d1960cc22600269cd3f3284e2124",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w76h-8m22-hpgh"
],
"cvss_score": 6.0,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32037",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.0); network accessible; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32036",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allo...",
"description": "OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded traversal patterns to access protected plugin channel routes when handlers normalize the incoming path, circumventing security controls.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:39.583",
"references": [
"https://github.com/openclaw/openclaw/commit/258d615c45527ffda37cecd08cd268f97461bde0",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mwxv-35wr-4vvj",
"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-encoded-dot-segment-traversal-in-api-channels"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32036",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32035",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voic...",
"description": "OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron functionality in mixed-trust channels.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:39.373",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wpg9-4g4v-f9rc",
"https://www.vulncheck.com/advisories/openclaw-missing-owner-flag-validation-in-discord-voice-transcript-handler"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32035",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32034",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control U...",
"description": "OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or intercepted credentials can obtain high-privilege Control UI access by exploiting the lack of secure authentication enforcement over unencrypted HTTP connections.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:39.167",
"references": [
"https://github.com/openclaw/openclaw/commit/40a292619e1f2be3a3b1db663d7494c9c2dc0abf",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3cvx-236h-m9fj",
"https://www.vulncheck.com/advisories/openclaw-insecure-control-ui-authentication-over-plaintext-http"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32034",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.8); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32033",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolut...",
"description": "OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read files outside the intended workspace boundary when tools.fs.workspaceOnly is enabled.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:38.957",
"references": [
"https://github.com/openclaw/openclaw/commit/9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-27cr-4p5m-74rj",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-via-prefixed-absolute-paths-in-workspace-boundary-validation"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32033",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.3); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32032",
"severity": "high",
"type": "unknown_cwe_426",
"nvd_category_id": "CWE-426",
"title": "OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell env...",
"description": "OpenClaw versions prior to 2026.2.22 contain an arbitrary shell execution vulnerability in shell environment fallback that trusts the unvalidated SHELL path from the host environment. An attacker with local environment access can inject a malicious SHELL variable to execute arbitrary commands with the privileges of the OpenClaw process.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:38.750",
"references": [
"https://github.com/openclaw/openclaw/commit/25e89cc86338ef475d26be043aa541dfdb95e52a",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8v",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-shell-execution-via-unvalidated-shell-environment-variable"
],
"cvss_score": 7.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32032",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (7.0); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32031",
"severity": "medium",
"type": "unknown_cwe_288",
"nvd_category_id": "CWE-288",
"title": "OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in ...",
"description": "OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plugin channel endpoints due to path canonicalization mismatch between the gateway guard and plugin handler routing. Attackers can bypass authentication by sending requests with alternative path encodings to access protected plugin channel APIs without proper gateway authentication.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:38.550",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8j2w-6fmm-m587",
"https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-path-canonicalization-mismatch-in-api-channels-gateway"
],
"cvss_score": 4.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32031",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32030",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia...",
"description": "OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the OpenClaw process on the configured remote host via SCP.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:38.340",
"references": [
"https://github.com/openclaw/openclaw/commit/1316e5740382926e45a42097b4bfe0aef7d63e8e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9",
"https://www.vulncheck.com/advisories/openclaw-sensitive-file-disclosure-via-stagesandboxmedia-path-traversal"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32030",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32029",
"severity": "medium",
"type": "unknown_cwe_345",
"nvd_category_id": "CWE-345",
"title": "OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value whe...",
"description": "OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions including authentication rate-limiting and IP-based access controls.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:38.123",
"references": [
"https://github.com/openclaw/openclaw/commit/07039dc089e51589a213ec0d16f8d6f2cd871fa1",
"https://github.com/openclaw/openclaw/commit/8877bfd11ec7760b115b2d0d7500a45da2749747",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32029",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32028",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on ...",
"description": "OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM messages to bypass DM authorization restrictions and trigger downstream automation or tool policies.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:37.917",
"references": [
"https://github.com/openclaw/openclaw/commit/aedf62ac7e669a89c7b299201bf6537dc6b12e0e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-354r-7mfh-7rh2",
"https://www.vulncheck.com/advisories/openclaw-missing-authorization-check-in-discord-dm-reaction-ingress"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32028",
"exploitability_score": "high",
"exploitability_rationale": "Low CVSS score (3.7); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32027",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-...",
"description": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly eligible for group allowlist authorization checks. Attackers can exploit this cross-context authorization flaw by using a sender approved via DM pairing to satisfy group sender allowlist checks without explicit presence in groupAllowFrom, bypassing group message access controls.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:37.713",
"references": [
"https://github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9",
"https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jv6r-27ww-4gw4"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32027",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32026",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox me...",
"description": "OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox media handling that allows absolute paths under the host temporary directory outside the active sandbox root. Attackers can exploit this by providing malicious media references to read and exfiltrate arbitrary files from the host temporary directory through attachment delivery mechanisms.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:37.510",
"references": [
"https://github.com/openclaw/openclaw/commit/79a7b3d22ef92e36a4031093d80a0acb0d82f351",
"https://github.com/openclaw/openclaw/commit/d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5",
"https://github.com/openclaw/openclaw/commit/def993dbd843ff28f2b3bad5cc24603874ba9f1e"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32026",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32025",
"severity": "high",
"type": "unknown_cwe_307",
"nvd_category_id": "CWE-307",
"title": "OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSo...",
"description": "OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:37.210",
"references": [
"https://github.com/openclaw/openclaw/commit/c736f11a16d6bc27ea62a0fe40fffae4cb071fdb",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jmmg-jqc7-5qf4",
"https://www.vulncheck.com/advisories/openclaw-password-brute-force-via-browser-origin-websocket-authentication-bypass"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32025",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32024",
"severity": "medium",
"type": "unknown_cwe_59",
"nvd_category_id": "CWE-59",
"title": "OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling th...",
"description": "OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to disclose local files accessible to the OpenClaw process.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:36.737",
"references": [
"https://github.com/openclaw/openclaw/commit/3d0337504349954237d09e4d957df5cb844d5e77",
"https://github.com/openclaw/openclaw/commit/6970c2c2db3ee069ef0fff0ade5cfbdd0134f9d2",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rx3g-mvc3-qfjf"
],
"cvss_score": 5.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32024",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.5); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32023",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run a...",
"description": "OpenClaw versions prior to 2026.2.24 contain an approval gating bypass vulnerability in system.run allowlist mode where nested transparent dispatch wrappers can suppress shell-wrapper detection. Attackers can exploit this by chaining multiple dispatch wrappers like /usr/bin/env to execute /bin/sh -c commands without triggering the expected approval prompt in allowlist plus ask=on-miss configurations.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:36.520",
"references": [
"https://github.com/openclaw/openclaw/commit/57c9a18180c8b14885bbd95474cbb17ff2d03f0b",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-ccg8-46r6-9qgj",
"https://www.vulncheck.com/advisories/openclaw-approval-gating-bypass-via-dispatch-wrapper-depth-cap-mismatch-in-system-run"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32023",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32022",
"severity": "medium",
"type": "unknown_cwe_184",
"nvd_category_id": "CWE-184",
"title": "OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass vulnerability in the grep to...",
"description": "OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass vulnerability in the grep tool within tools.exec.safeBins that allows attackers to read arbitrary files by supplying a pattern via the -e flag parameter. Attackers can include a positional filename operand to bypass file access restrictions and read sensitive files .env from the working directory.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:36.310",
"references": [
"https://github.com/openclaw/openclaw/commit/c6ee14d60e4cbd6a82f9b2d74ebeb1e8ee814964",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3xfw-4pmr-4xc5",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-grep-e-flag-policy-bypass"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32022",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32021",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu all...",
"description": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the Feishu allowFrom allowlist implementation that accepts mutable sender display names instead of enforcing ID-only matching. An attacker can set a display name equal to an allowlisted ID string to bypass authorization checks and gain unauthorized access.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:36.103",
"references": [
"https://github.com/openclaw/openclaw/commit/4ed87a667263ed2d422b9d5d5a5d326e099f92c7",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-j4xf-96qf-rx69",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-display-name-collision-in-feishu-allowfrom"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32021",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32020",
"severity": "low",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handl...",
"description": "OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads. Attackers can place symlinks under the Control UI root directory to bypass directory confinement checks and read arbitrary files outside the intended root.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:35.897",
"references": [
"https://github.com/openclaw/openclaw/commit/7c500ff6236fa087ec1ec88696ca9f6881e90dc5",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5ghc-98wh-gwwf",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-symlink-following-in-static-file-handler"
],
"cvss_score": 3.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32020",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.3); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32019",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isP...",
"description": "OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isPrivateIpv4() function, allowing requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to special-use IPv4 ranges can exploit web_fetch functionality to access blocked addresses such as 198.18.0.0/15 and other non-global ranges.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:35.680",
"references": [
"https://github.com/openclaw/openclaw/commit/333fbb86347998526dd514290adfd5f727caa6d9",
"https://github.com/openclaw/openclaw/commit/44dfbd23df453e51b71ef79a148c28c53e89168c",
"https://github.com/openclaw/openclaw/commit/71bd15bb4294d3d1b54386064d69cd0f5f731bd8"
],
"cvss_score": 7.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32019",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.0); network accessible; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32018",
"severity": "low",
"type": "race_condition",
"nvd_category_id": "CWE-362",
"title": "OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegi...",
"description": "OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers. Attackers can exploit unsynchronized read-modify-write operations without locking to cause registry updates to lose data, resurrect removed entries, or corrupt sandbox state affecting list, prune, and recreate operations.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:35.463",
"references": [
"https://github.com/openclaw/openclaw/commit/cc29be8c9bcdfaecb90f0ab13124c8f5362a6741",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gq83-8q7q-9hfx",
"https://www.vulncheck.com/advisories/openclaw-race-condition-in-sandbox-registry-write-operations"
],
"cvss_score": 3.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32018",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.6); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32017",
"severity": "high",
"type": "unknown_cwe_184",
"nvd_category_id": "CWE-184",
"title": "OpenClaw versions prior to 2026.2.19 contain an allowlist bypass vulnerability in the exec safeBins ...",
"description": "OpenClaw versions prior to 2026.2.19 contain an allowlist bypass vulnerability in the exec safeBins policy that allows attackers to write arbitrary files using short-option payloads. Attackers can bypass argument validation by attaching short options like -o to whitelisted binaries, enabling unauthorized file-write operations that should be denied by safeBins checks.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:35.237",
"references": [
"https://github.com/openclaw/openclaw/commit/bafdbb6f112409a65decd3d4e7350fbd637c7754",
"https://github.com/openclaw/openclaw/commit/cfe8457a0f4aae5324daec261d3b0aad1461a4bc",
"https://github.com/openclaw/openclaw/commit/fec48a5006eab37c6a5821726ccaeec886486b13"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32017",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32016",
"severity": "high",
"type": "unknown_cwe_426",
"nvd_category_id": "CWE-426",
"title": "OpenClaw versions prior to 2026.2.22 on macOS contain a path validation bypass vulnerability in the ...",
"description": "OpenClaw versions prior to 2026.2.22 on macOS contain a path validation bypass vulnerability in the exec-approval allowlist mode that allows local attackers to execute unauthorized binaries by exploiting basename-only allowlist entries. Attackers can execute same-name local binaries ./echo without approval when security=allowlist and ask=on-miss are configured, bypassing intended path-based policy restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:35.027",
"references": [
"https://github.com/openclaw/openclaw/commit/dd41fadcaf58fd9deb963d6e163c56161e7b35dd",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7f4q-9rqh-x36p",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-via-basename-only-allowlist-matching-on-macos"
],
"cvss_score": 7.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32016",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (7.0); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32015",
"severity": "high",
"type": "unknown_cwe_426",
"nvd_category_id": "CWE-426",
"title": "OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a path hijacking vulnerability in tools.exec....",
"description": "OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a path hijacking vulnerability in tools.exec.safeBins that allows attackers to bypass allowlist checks by controlling process PATH resolution. Attackers who can influence the gateway process PATH or launch environment can execute trojan binaries with allowlisted names, such as jq, circumventing executable validation controls.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:34.810",
"references": [
"https://github.com/openclaw/openclaw/commit/28bac46c92069dc728524fbf383024c1b64e5c23",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g75x-8qqm-2vxp",
"https://www.vulncheck.com/advisories/openclaw-path-hijacking-bypass-in-tools-exec-safebins-allowlist-validation"
],
"cvss_score": 7.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32015",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (7.0); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32014",
"severity": "high",
"type": "unknown_cwe_290",
"nvd_category_id": "CWE-290",
"title": "OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platf...",
"description": "OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature. An attacker with a paired node identity on the trusted network can spoof reconnect metadata to bypass platform-based node command policies and gain access to restricted commands.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:34.610",
"references": [
"https://github.com/openclaw/openclaw/commit/7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf",
"https://www.vulncheck.com/advisories/openclaw-node-reconnect-metadata-spoofing-via-unsigned-platform-fields"
],
"cvss_score": 8.0,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32014",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.0); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32013",
"severity": "high",
"type": "unknown_cwe_59",
"nvd_category_id": "CWE-59",
"title": "OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.g...",
"description": "OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:34.410",
"references": [
"https://github.com/openclaw/openclaw/commit/125f4071bcbc0de32e769940d07967db47f09d3d",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc",
"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-agents-files-methods"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32013",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32011",
"severity": "high",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers fo...",
"description": "OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:34.197",
"references": [
"https://github.com/openclaw/openclaw/commit/d3e8b17aa6432536806b4853edc7939d891d0f25",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-x4vp-4235-65hg",
"https://www.vulncheck.com/advisories/openclaw-slow-request-denial-of-service-via-pre-auth-webhook-body-parsing"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32011",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32010",
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safe-bin confi...",
"description": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safe-bin configuration when sort is manually added to tools.exec.safeBins. Attackers can invoke sort with the --compress-program flag to execute arbitrary external programs without operator approval in allowlist mode with ask=on-miss enabled.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:33.990",
"references": [
"https://github.com/openclaw/openclaw/commit/57fbbaebca4d34d17549accf6092ae26eb7b605c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4gc7-qcvf-38wg",
"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-sort-compress-program-parameter"
],
"cvss_score": 6.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32010",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.3); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32009",
"severity": "medium",
"type": "unknown_cwe_426",
"nvd_category_id": "CWE-426",
"title": "OpenClaw versions prior to 2026.2.24 contain a policy bypass vulnerability in the safeBins allowlist...",
"description": "OpenClaw versions prior to 2026.2.24 contain a policy bypass vulnerability in the safeBins allowlist evaluation that trusts static default directories including writable package-manager paths like /opt/homebrew/bin and /usr/local/bin. An attacker with write access to these trusted directories can place a malicious binary with the same name as an allowed executable to achieve arbitrary command execution within the OpenClaw runtime context.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:33.787",
"references": [
"https://github.com/openclaw/openclaw/commit/b67e600bff696ff2ed9b470826590c0ce6b3bb0a",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5gj7-jf77-q2q2",
"https://www.vulncheck.com/advisories/openclaw-binary-hijacking-via-static-default-trusted-directories-in-safebins"
],
"cvss_score": 5.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32009",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.7); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32008",
"severity": "medium",
"type": "unknown_cwe_610",
"nvd_category_id": "CWE-610",
"title": "OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the ...",
"description": "OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the assertBrowserNavigationAllowed() function that allows authenticated users with browser-tool access to navigate to file:// URLs. Attackers can exploit this by accessing local files readable by the OpenClaw process user through browser snapshot and extraction actions to exfiltrate sensitive data.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:33.577",
"references": [
"https://github.com/openclaw/openclaw/commit/220bd95eff6838234e8b4b711f86d4565e16e401",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-45cg-2683-gfmq",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-browser-navigation-guard"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32008",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32007",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental appl...",
"description": "OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental apply_patch tool that allows attackers with sandbox access to modify files outside the workspace directory by exploiting inconsistent enforcement of workspace-only checks on mounted paths. Attackers can use apply_patch operations on writable mounts outside the workspace root to access and modify arbitrary files on the system.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:33.370",
"references": [
"https://github.com/openclaw/openclaw/commit/6634030be31e1a1842967df046c2f2e47490e6bf",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h9xm-j4qg-fvpg",
"https://www.vulncheck.com/advisories/openclaw-sandbox-bypass-in-apply-patch-tool-via-workspace-only-check-bypass"
],
"cvss_score": 6.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32007",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.8); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32006",
"severity": "low",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-...",
"description": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities without explicit groupAllowFrom membership to bypass group sender authorization checks.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:33.157",
"references": [
"https://github.com/openclaw/openclaw/commit/051fdcc428129446e7c084260f837b7284279ce9",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-25pw-4h6w-qwvm",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-dm-pairing-store-fallback-in-group-allowlist"
],
"cvss_score": 3.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32006",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32005",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive cal...",
"description": "OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including block_action, view_submission, and view_closed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue system-event text into active sessions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:32.950",
"references": [
"https://github.com/openclaw/openclaw/commit/ce8c67c314b93f570f53c2a9abc124e1e3a54715",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-x2ff-j5c2-ggpr",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-interactive-callbacks-via-sender-check-skip"
],
"cvss_score": 6.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32005",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.8); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32004",
"severity": "medium",
"type": "unknown_cwe_288",
"nvd_category_id": "CWE-288",
"title": "OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/chann...",
"description": "OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers can bypass plugin route authentication checks by submitting deeply encoded slash variants such as multi-encoded %2f to access protected /api/channels endpoints.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:32.730",
"references": [
"https://github.com/openclaw/openclaw/commit/2fd8264ab03bd178e62a5f0c50d1c8556c17f12d",
"https://github.com/openclaw/openclaw/commit/7a7eee920a176a0043398c6b37bf4cc6eb983eeb",
"https://github.com/openclaw/openclaw/commit/93b07240257919f770d1e263e1f22753937b80ea"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32004",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32003",
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the ...",
"description": "OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and PS4 environment variables. An attacker who can invoke system.run with request-scoped environment variables can execute arbitrary shell commands outside the intended allowlisted command body through bash xtrace expansion.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:32.527",
"references": [
"https://github.com/openclaw/openclaw/commit/e80c803fa887f9699ad87a9e906ab5c1ff85bd9a",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2fgq-7j6h-9rm4",
"https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-shellopts-ps4-environment-injection-in-system-run"
],
"cvss_score": 6.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32003",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.6); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32002",
"severity": "medium",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image t...",
"description": "OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing attackers to read out-of-workspace files. Attackers can load restricted mounted images and exfiltrate them through vision model provider requests to bypass sandbox confidentiality controls.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:32.327",
"references": [
"https://github.com/openclaw/openclaw/commit/dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-q6qf-4p5j-r25g",
"https://www.vulncheck.com/advisories/openclaw-sandbox-boundary-bypass-via-image-tool-workspaceonly-bypass"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32002",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32001",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clie...",
"description": "OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject unauthorized node.event calls, triggering agent.request and voice.transcript flows without proper device pairing.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T22:16:32.113",
"references": [
"https://github.com/openclaw/openclaw/commit/ddcb2d79b17bf2a42c5037d8aeff1537a12b931e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rv2q-f2h5-6xmg",
"https://www.vulncheck.com/advisories/openclaw-node-role-device-identity-bypass-via-websocket-authentication"
],
"cvss_score": 5.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32001",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.4); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32000",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extens...",
"description": "OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in command arguments to execute arbitrary commands when subprocess launch fails with EINVAL or ENOENT errors.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:05.793",
"references": [
"https://github.com/openclaw/openclaw/commit/ba7be018da354ea9f803ed356d20464df0437916",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7fcc-cw49-xm78",
"https://www.vulncheck.com/advisories/openclaw-command-injection-via-windows-shell-fallback-in-lobster-tool-execution"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32000",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.3); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31999",
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injecti...",
"description": "OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:05.580",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6f6j-wx9w-ff4j",
"https://www.vulncheck.com/advisories/openclaw-current-working-directory-injection-via-windows-wrapper-resolution-fallback"
],
"cvss_score": 6.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31999",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.3); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31998",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synol...",
"description": "OpenClaw versions 2026.2.22 and 2026.2.23 contain an authorization bypass vulnerability in the synology-chat channel plugin where dmPolicy set to allowlist with empty allowedUserIds fails open. Attackers with Synology sender access can bypass authorization checks and trigger unauthorized agent dispatch and downstream tool actions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:05.347",
"references": [
"https://github.com/openclaw/openclaw/commit/0ee30361b8f6ef3f110f3a7b001da6dd3df96bb5",
"https://github.com/openclaw/openclaw/commit/7655c0cb3a47d0647cbbf5284e177f90b4b82ddb",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gw85-xp4q-5gp9"
],
"cvss_score": 8.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31998",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.0); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31997",
"severity": "medium",
"type": "unknown_cwe_367",
"nvd_category_id": "CWE-367",
"title": "OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens...",
"description": "OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling arbitrary command execution.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:05.130",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-q399-23r3-hfx4",
"https://www.vulncheck.com/advisories/openclaw-executable-rebind-via-unbound-path-token-in-system-run-approvals"
],
"cvss_score": 6.0,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31997",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.0); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31996",
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnera...",
"description": "OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with command execution access can leverage sort -o flag for arbitrary file writes or grep -R flag for recursive file reads, circumventing intended stdin-only restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:04.917",
"references": [
"https://github.com/openclaw/openclaw/commit/2c05cbb43e48ebad03626d3125746fb1b9a8520f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4685-c5cp-vp95",
"https://www.vulncheck.com/advisories/openclaw-safebins-stdin-only-bypass-via-sort-output-and-recursive-grep-flags"
],
"cvss_score": 4.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31996",
"exploitability_score": "high",
"exploitability_rationale": "Low CVSS score (3.6); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31995",
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobs...",
"description": "OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true, attackers can exploit cmd.exe command interpretation to execute malicious commands by controlling workflow arguments.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:04.707",
"references": [
"https://github.com/openclaw/openclaw/commit/ba7be018da354ea9f803ed356d20464df0437916",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-fg3m-vhrr-8gj6",
"https://www.vulncheck.com/advisories/openclaw-command-injection-via-windows-shell-fallback-in-lobster-extension"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31995",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31994",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows sche...",
"description": "OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only values or CR/LF sequences that execute unintended code in the scheduled task context.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:04.493",
"references": [
"https://github.com/openclaw/openclaw/commit/280c6b117b2f0e24f398e5219048cd4cc3b82396",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mqr9-vqhq-3jxw",
"https://www.vulncheck.com/advisories/openclaw-local-command-injection-via-unsafe-cmd-argument-handling-in-windows-scheduled-task"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31994",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31993",
"severity": "medium",
"type": "unknown_cwe_184",
"nvd_category_id": "CWE-184",
"title": "OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macO...",
"description": "OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app that allows authenticated operators to bypass exec approval checks. Attackers with operator.write privileges and a paired macOS beta node can craft shell-chain payloads that pass incomplete allowlist validation and execute arbitrary commands on the paired host.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:04.277",
"references": [
"https://github.com/openclaw/openclaw/commit/5da03e622119fa012285cdb590fcf4264c965cb5",
"https://github.com/openclaw/openclaw/commit/e371da38aab99521c4e076cd3d95fd775e00b784",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5f9p-f3w2-fwch"
],
"cvss_score": 4.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31993",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31992",
"severity": "high",
"type": "unknown_cwe_184",
"nvd_category_id": "CWE-184",
"title": "OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardra...",
"description": "OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowlisted, attackers can use env -S to bypass policy analysis and execute shell wrapper payloads at runtime.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:04.070",
"references": [
"https://github.com/openclaw/openclaw/commit/3f923e831364d83d0f23499ee49961de334cf58b",
"https://github.com/openclaw/openclaw/commit/a1c4bf07c6baad3ef87a0e710fe9aef127b1f606",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-48wf-g7cp-gr3m"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31992",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31991",
"severity": "low",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal grou...",
"description": "OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist policy incorrectly accepts sender identities from DM pairing-store approvals. Attackers can exploit this boundary weakness by obtaining DM pairing approval to bypass group allowlist checks and gain unauthorized group access.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:03.863",
"references": [
"https://github.com/openclaw/openclaw/commit/64de4b6d6ae81e269ceb4ca16f53cda99ced967a",
"https://github.com/openclaw/openclaw/commit/8bdda7a651c21e98faccdbbd73081e79cffe8be0",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wm8r-w8pf-2v6w"
],
"cvss_score": 3.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31991",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.7); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31990",
"severity": "medium",
"type": "unknown_cwe_59",
"nvd_category_id": "CWE-59",
"title": "OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in whi...",
"description": "OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary files on the host system outside sandbox boundaries.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:03.647",
"references": [
"https://github.com/openclaw/openclaw/commit/17ede52a4be3034f6ec4b883ac6b81ad0101558a",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c",
"https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-stagesandboxmedia-destination"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31990",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-31989",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_searc...",
"description": "OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets can trigger internal-network requests from the OpenClaw host to loopback, private, or internal destinations.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:03.430",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g99v-8hwm-g76g",
"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-web-search-citation-redirect"
],
"cvss_score": 7.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31989",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.4); network accessible; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29608",
"severity": "medium",
"type": "unknown_cwe_88",
"nvd_category_id": "CWE-88",
"title": "OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution whe...",
"description": "OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended code despite operator approval of different command text.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:2026.3.1:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:03.223",
"references": [
"https://github.com/openclaw/openclaw/commit/dded569626b0d8e7bdab10b5e7528b6caf73a0f1",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3rm-6x7g-882f",
"https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-via-system-run-argv-rewriting"
],
"cvss_score": 6.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29608",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.7); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29607",
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always w...",
"description": "OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inner executable intent. Remote attackers can approve benign wrapped system.run commands and subsequently execute different payloads without approval, enabling remote code execution on gateway and node-host execution flows.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:03.010",
"references": [
"https://github.com/openclaw/openclaw/commit/24c954d972400f508814532dea0e4dcb38418bb0",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6j27-pc5c-m8w8",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-allow-always-wrapper-persistence"
],
"cvss_score": 6.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29607",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.4); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28461",
"severity": "high",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo web...",
"description": "OpenClaw versions prior to 2026.3.1 contain an unbounded memory growth vulnerability in the Zalo webhook endpoint that allows unauthenticated attackers to trigger in-memory key accumulation by varying query strings. Remote attackers can exploit this by sending repeated requests with different query parameters to cause memory pressure, process instability, or out-of-memory conditions that degrade service availability.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:02.810",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wr6m-jg37-68xh",
"https://www.vulncheck.com/advisories/openclaw-unbounded-memory-growth-in-zalo-webhook-via-query-string-key-churn"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28461",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28460",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that al...",
"description": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers can bypass security analysis by injecting $\\\\ followed by a newline and opening parenthesis inside double quotes, causing the shell to fold the line continuation into executable command substitution that circumvents approval boundaries.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:02.603",
"references": [
"https://github.com/openclaw/openclaw/commit/3f0b9dbb36c86e308267924c0d3d4a4e1fc4d1e9",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9868-vxmx-w862",
"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-shell-line-continuation-command-substitution-in-system-run"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28460",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.9); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28449",
"severity": "medium",
"type": "unknown_cwe_294",
"nvd_category_id": "CWE-294",
"title": "OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, al...",
"description": "OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook requests to trigger duplicate inbound message processing and cause integrity or availability issues.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:02.390",
"references": [
"https://github.com/openclaw/openclaw/commit/d512163d686ad6741783e7119ddb3437f493dbbc",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r9q5-c7qc-p26w",
"https://www.vulncheck.com/advisories/openclaw-webhook-replay-attack-via-missing-durable-replay-suppression"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28449",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27670",
"severity": "medium",
"type": "unknown_cwe_367",
"nvd_category_id": "CWE-367",
"title": "OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that al...",
"description": "OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:02.173",
"references": [
"https://github.com/openclaw/openclaw/commit/7dac9b05dd9d38dd3929637f26fa356fd8bdd107",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r54r-wmmq-mh84",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-zip-extraction-parent-symlink-race-condition"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27670",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.3); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27566",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec an...",
"description": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to smuggle payloads that satisfy allowlist entries while executing non-allowlisted commands.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:01.967",
"references": [
"https://github.com/openclaw/openclaw/commit/2b63592be57782c8946e521bc81286933f0f99c7",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r",
"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-wrapper-binary-unwrapping-in-system-run"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27566",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22176",
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled ...",
"description": "OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled Task script generation where environment variables are written to gateway.cmd using unquoted set KEY=VALUE assignments, allowing shell metacharacters to break out of assignment context. Attackers can inject arbitrary commands through environment variable values containing metacharacters like &, |, ^, %, or ! to achieve command execution when the scheduled task script is generated and executed.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-19T02:16:01.733",
"references": [
"https://github.com/openclaw/openclaw/commit/dafe52e8cf1a041d898cfb304a485fa05e5f58fb",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-pj5x-38rw-6fph",
"https://www.vulncheck.com/advisories/openclaw-command-injection-via-unescaped-environment-variables-in-windows-scheduled-task"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22176",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27545",
"severity": "medium",
"type": "unknown_cwe_367",
"nvd_category_id": "CWE-367",
"title": "OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run executio...",
"description": "OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker can modify mutable parent symlink path components between approval and execution time to redirect command execution to a different location while preserving the visible working directory string.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:23.837",
"references": [
"https://github.com/openclaw/openclaw/commit/4b4718c8dfce2e2c48404aa5088af7c013bed60b",
"https://github.com/openclaw/openclaw/commit/4e690e09c746408b5e27617a20cb3fdc5190dbda",
"https://github.com/openclaw/openclaw/commit/78a7ff2d50fb3bcef351571cb5a0f21430a340c1"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27545",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27524",
"severity": "medium",
"type": "unknown_cwe_1321",
"nvd_category_id": "CWE-1321",
"title": "OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override o...",
"description": "OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass command gate restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:23.627",
"references": [
"https://github.com/openclaw/openclaw/commit/fbb79d4013000552d6a2c23b9613d8b3cb92f6b6",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-62f6-mrcj-v8h5",
"https://www.vulncheck.com/advisories/openclaw-prototype-pollution-via-debug-override-path"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27524",
"exploitability_score": "medium",
"exploitability_rationale": "Low CVSS score (3.1); network accessible; prototype pollution can escalate in Node.js agents",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27523",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attack...",
"description": "OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind source paths that appear within allowed roots but resolve outside sandbox boundaries once missing leaf components are created, weakening bind-source isolation enforcement.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:23.420",
"references": [
"https://github.com/openclaw/openclaw/commit/b5787e4abba0dcc6baf09051099f6773c1679ec1",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-m8v2-6wwh-r4gc",
"https://www.vulncheck.com/advisories/openclaw-sandbox-bind-validation-bypass-via-symlink-parent-missing-leaf-paths"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27523",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27522",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachme...",
"description": "OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:23.220",
"references": [
"https://github.com/openclaw/openclaw/commit/270ab03e379f9653e15f7033c9830399b66b7e51",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-fqcm-97m6-w7rm",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-sendattachment-and-setgroupicon-message-actions"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27522",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22217",
"severity": "medium",
"type": "unknown_cwe_829",
"nvd_category_id": "CWE-829",
"title": "OpenClaw version 2026.2.22 prior to 2026.2.23 contain an arbitrary code execution vulnerability in s...",
"description": "OpenClaw version 2026.2.22 prior to 2026.2.23 contain an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL environment variable on systems with writable trusted-prefix directories such as /opt/homebrew/bin to execute arbitrary binaries in the OpenClaw process context.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:23.003",
"references": [
"https://github.com/openclaw/openclaw/commit/ff10fe8b91670044a6bb0cd85deb736a0ec8fb55",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-p4wh-cr8m-gm6c",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-binary-execution-via-shell-environment-variable-trusted-prefix-fallback"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22217",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22181",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch p...",
"description": "OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_PROXY environment variables are present, attacker-influenced URLs can be routed through proxy behavior instead of pinned-destination routing, enabling access to internal targets reachable from the proxy environment.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:22.800",
"references": [
"https://github.com/openclaw/openclaw/commit/345abf0b2e0f43b0f229e96f252ebf56f1e5549e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8mvx-p2r9-r375",
"https://www.vulncheck.com/advisories/openclaw-dns-pinning-bypass-via-environment-proxy-configuration-in-web-fetch"
],
"cvss_score": 7.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22181",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.4); network accessible; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22180",
"severity": "medium",
"type": "unknown_cwe_59",
"nvd_category_id": "CWE-59",
"title": "OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerability in browser outpu...",
"description": "OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerability in browser output handling that allows writes outside intended root directories. Attackers can exploit insufficient canonical path-boundary validation in file write operations to escape root-bound restrictions and write files to arbitrary locations.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:22.583",
"references": [
"https://github.com/openclaw/openclaw/commit/104d32bb64cdf19d5e77f70553a511a2ae90ad1c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3pxq-f3cp-jmxp",
"https://www.vulncheck.com/advisories/openclaw-path-confinement-bypass-in-browser-output-and-file-write-operations"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22180",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.3); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22179",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulne...",
"description": "OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulnerability that allows remote attackers to execute non-allowlisted commands by exploiting improper parsing of command substitution tokens. Attackers can craft shell payloads with command substitution syntax within double-quoted text to bypass security restrictions and execute arbitrary commands on the system.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:22.377",
"references": [
"https://github.com/openclaw/openclaw/commit/90a378ca3a9ecbf1634cd247f17a35f4612c6ca6",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-9p38-94jf-hgjj",
"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-command-substitution-in-system-run"
],
"cvss_score": 7.2,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22179",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.6); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22178",
"severity": "medium",
"type": "unknown_cwe_1333",
"nvd_category_id": "CWE-1333",
"title": "OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention...",
"description": "OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:22.160",
"references": [
"https://github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c",
"https://github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961fcc8c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22178",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22177",
"severity": "medium",
"type": "unknown_cwe_15",
"nvd_category_id": "CWE-15",
"title": "OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables ...",
"description": "OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:21.957",
"references": [
"https://github.com/openclaw/openclaw/commit/2cdbadee1f8fcaa93302d7debbfc529e19868ea4",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8fmp-37rc-p5g7",
"https://www.vulncheck.com/advisories/openclaw-environment-variable-injection-via-config-env-vars"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22177",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22175",
"severity": "high",
"type": "unknown_cwe_184",
"nvd_category_id": "CWE-184",
"title": "OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode...",
"description": "OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbitrary payloads under the same multiplexer wrapper to satisfy stored allowlist rules, bypassing intended execution restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:21.733",
"references": [
"https://github.com/openclaw/openclaw/commit/a67689a7e3ad494b6637c76235a664322d526f9e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gwqp-86q6-w47g",
"https://www.vulncheck.com/advisories/openclaw-exec-approval-bypass-via-unrecognized-multiplexer-shell-wrappers"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22175",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22174",
"severity": "medium",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe ...",
"description": "OpenClaw versions prior to 2026.2.22 inject the x-OpenClaw-relay-token header into Chrome CDP probe traffic on loopback interfaces, allowing local processes to capture the Gateway authentication token. An attacker controlling a loopback port can intercept CDP reachability probes to the /json/version endpoint and reuse the leaked token as Gateway bearer authentication.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:21.517",
"references": [
"https://github.com/openclaw/openclaw/commit/afa22acc4a09fdf32be8a167ae216bee85c30dad",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v3j7-34xh-6g3w",
"https://www.vulncheck.com/advisories/openclaw-gateway-token-disclosure-via-chrome-cdp-probe"
],
"cvss_score": 6.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22174",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.7); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22171",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media down...",
"description": "OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:21.310",
"references": [
"https://github.com/openclaw/openclaw/commit/c821099157a9767d4df208c6b12f214946507871",
"https://github.com/openclaw/openclaw/commit/cdb00fe2428000e7a08f9b7848784a0049176705",
"https://github.com/openclaw/openclaw/commit/ec232a9e2dff60f0e3d7e827a7c868db5254473f"
],
"cvss_score": 8.2,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22171",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.2); remotely exploitable without authentication; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22170",
"severity": "medium",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control ...",
"description": "OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attackers can send direct messages to BlueBubbles accounts by exploiting the misconfigured allowlist validation logic to bypass intended sender authorization checks.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:21.100",
"references": [
"https://github.com/openclaw/openclaw/commit/2ba6de7eaad812e5e8603018e14e54e96bdd57dd",
"https://github.com/openclaw/openclaw/commit/4540790cb62412676f7b61cfc6e47443f84a251e",
"https://github.com/openclaw/openclaw/commit/51c0893673de8e5cea64e64351dbfa4680ba0dec"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22170",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22169",
"severity": "medium",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins confi...",
"description": "OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass intended safe-bin approval constraints by leveraging the compress-program parameter to execute unauthorized external programs.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:20.893",
"references": [
"https://github.com/openclaw/openclaw/commit/57fbbaebca4d34d17549accf6092ae26eb7b605c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vmqr-rc7x-3446",
"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-sort-configuration-in-safebins"
],
"cvss_score": 6.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22169",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.4); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-22168",
"severity": "medium",
"type": "unknown_cwe_88",
"nvd_category_id": "CWE-88",
"title": "OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system....",
"description": "OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. Attackers can smuggle malicious arguments through cmd.exe /c to achieve local command execution on trusted Windows nodes with mismatched audit logs.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-18T02:16:20.680",
"references": [
"https://github.com/openclaw/openclaw/commit/6007941f04df1edcca679dd6c95949744fdbd4df",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5v6x-rfc3-7qfr",
"https://www.vulncheck.com/advisories/openclaw-command-injection-via-cmd-exe-c-trailing-arguments-in-system-run"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22168",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32302",
"severity": "high",
"type": "unknown_cwe_346",
"nvd_category_id": "CWE-346",
"title": "OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections co...",
"description": "OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session. This vulnerability is fixed in 2026.3.11.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-13T19:54:41.650",
"references": [
"https://github.com/openclaw/openclaw/commit/ebed3bbde1a72a1aaa9b87b63b91e7c04a50036b",
"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5wcw-8jjv-m286"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32302",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-4040",
"severity": "low",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.ex...",
"description": "A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-12T12:15:59.990",
"references": [
"https://github.com/openclaw/openclaw/",
"https://github.com/openclaw/openclaw/commit/bafdbb6f112409a65decd3d4e7350fbd637c7754",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.19-beta.1"
],
"cvss_score": 3.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4040",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.3); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-4039",
"severity": "medium",
"type": "unknown_cwe_74",
"nvd_category_id": "CWE-74",
"title": "A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function appl...",
"description": "A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-12T12:15:59.740",
"references": [
"https://github.com/openclaw/openclaw/",
"https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1"
],
"cvss_score": 6.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4039",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-30741",
"severity": "critical",
"type": "code_injection",
"nvd_category_id": "CWE-94",
"title": "A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to...",
"description": "A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T16:16:41.530",
"references": [
"https://github.com/Named1ess/CVE-2026-30741",
"https://github.com/OpenClaw/OpenClaw",
"https://www.bilibili.com/video/BV1LoFazeEBM"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30741",
"exploitability_score": "high",
"exploitability_rationale": "No CVSS score available; requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "unknown"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32063",
"severity": "high",
"type": "command_injection",
"nvd_category_id": "CWE-77",
"title": "OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in system...",
"description": "OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T14:16:28.580",
"references": [
"https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w",
"https://www.vulncheck.com/advisories/openclaw-command-injection-via-newline-in-systemd-unit-generation"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32063",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32062",
"severity": "high",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to...",
"description": "OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:openclaw:openclaw\\/voice-call:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T14:16:28.340",
"references": [
"https://github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f343794",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j",
"https://www.vulncheck.com/advisories/openclaw-unauthenticated-websocket-resource-exhaustion-via-media-stream"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32062",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32061",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directiv...",
"description": "OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T14:16:28.140",
"references": [
"https://github.com/openclaw/openclaw/commit/d1c00dbb7c64a39e205464dae7f2a068420e91c1",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-56pc-6hvp-4gv4",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-include-directive-path-traversal"
],
"cvss_score": 4.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32061",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.4); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32060",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allo...",
"description": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T14:16:27.943",
"references": [
"https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437c7f1",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-crafted-paths"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32060",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32059",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fail...",
"description": "OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options to skip approval requirements in allowlist mode.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T14:16:27.743",
"references": [
"https://github.com/openclaw/openclaw/commit/3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78",
"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-sort-long-option-abbreviation-in-toolsexecsafebins"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32059",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29613",
"severity": "medium",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) we...",
"description": "OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:24.850",
"references": [
"https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a",
"https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xc7w-v5x6-cc87"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29613",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29612",
"severity": "medium",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing...",
"description": "OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:24.660",
"references": [
"https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding"
],
"cvss_score": 5.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29612",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.5); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29611",
"severity": "high",
"type": "unknown_cwe_73",
"nvd_category_id": "CWE-73",
"title": "OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles ext...",
"description": "OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:24.460",
"references": [
"https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv",
"https://www.vulncheck.com/advisories/openclaw-local-file-inclusion-via-mediapath-parameter-in-bluebubbles-media-handling"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29611",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29610",
"severity": "high",
"type": "unknown_cwe_427",
"nvd_category_id": "CWE-427",
"title": "OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers...",
"description": "OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:24.253",
"references": [
"https://github.com/openclaw/openclaw/commit/013e8f6b3be3333a229a066eef26a45fec47ffcc",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6",
"https://www.vulncheck.com/advisories/openclaw-command-hijacking-via-unsafe-path-handling"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29610",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29609",
"severity": "high",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard...",
"description": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:24.043",
"references": [
"https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5da2fe0",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-url-backed-media-fetch"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29609",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29606",
"severity": "medium",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-ca...",
"description": "OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly reachable webhook endpoint without a valid X-Twilio-Signature header, resulting in unauthorized webhook event handling and potential request flooding attacks.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:23.850",
"references": [
"https://github.com/openclaw/openclaw/commit/ff11d8793b90c52f8d84dae3fbb99307da51b5c9",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-c37p-4qqg-3p76",
"https://www.vulncheck.com/advisories/openclaw-webhook-signature-verification-bypass-via-ngrok-loopback-compatibility"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29606",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28486",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive e...",
"description": "OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:openclaw:openclaw:2026.1.16-2:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:23.640",
"references": [
"https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-zip-slip-in-archive-extraction-via-installation-commands"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28486",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28485",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent...",
"description": "OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:23.440",
"references": [
"https://github.com/openclaw/openclaw/commit/9230a2ae14307740a13ada7afd6dcfab34e0287f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qpjj-47vm-64pj",
"https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser-control-http-endpoints"
],
"cvss_score": 8.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28485",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28482",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId par...",
"description": "OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files outside the agent sessions directory.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:23.013",
"references": [
"https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26",
"https://github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28482",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28481",
"severity": "medium",
"type": "unknown_cwe_201",
"nvd_category_id": "CWE-201",
"title": "OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in...",
"description": "OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403 responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, enabling token theft.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:22.810",
"references": [
"https://github.com/openclaw/openclaw/commit/41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7vwx-582j-j332",
"https://www.vulncheck.com/advisories/openclaw-bearer-token-leakage-via-ms-teams-attachment-downloader-suffix-matching"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28481",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28480",
"severity": "medium",
"type": "unknown_cwe_290",
"nvd_category_id": "CWE-290",
"title": "OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram al...",
"description": "OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:22.610",
"references": [
"https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128",
"https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28480",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28479",
"severity": "high",
"type": "risky_cryptographic_algorithm",
"nvd_category_id": "CWE-327",
"title": "OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and ...",
"description": "OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be misinterpreted as another and enabling unsafe sandbox state reuse.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:-:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:22.410",
"references": [
"https://github.com/openclaw/openclaw/commit/559c8d9930eebb5356506ff1a8cd3dbaec92be77",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-fh3f-q9qw-93j9",
"https://www.vulncheck.com/advisories/openclaw-cache-poisoning-via-deprecated-sha-hash-in-sandbox-configuration"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28479",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28478",
"severity": "high",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers t...",
"description": "OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:22.210",
"references": [
"https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28478",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28477",
"severity": "high",
"type": "cross_site_request_forgery",
"nvd_category_id": "CWE-352",
"title": "OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the m...",
"description": "OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:22.007",
"references": [
"https://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj",
"https://www.vulncheck.com/advisories/openclaw-oauth-state-validation-bypass-in-manual-chutes-login-flow"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28477",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28476",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the opti...",
"description": "OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the configured Urbit URL can induce the gateway to make HTTP requests to arbitrary hosts including internal addresses.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:21.807",
"references": [
"https://github.com/openclaw/openclaw/commit/bfa7d21e997baa8e3437657d59b1e296815cc1b1",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-pg2v-8xwh-qhcc",
"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-tlon-extension-authentication"
],
"cvss_score": 8.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28476",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.3); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28475",
"severity": "medium",
"type": "unknown_cwe_208",
"nvd_category_id": "CWE-208",
"title": "OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validati...",
"description": "OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually recover the authentication token.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:21.617",
"references": [
"https://github.com/openclaw/openclaw/commit/113ebfd6a23c4beb8a575d48f7482593254506ec",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-47q7-97xp-m272",
"https://www.vulncheck.com/advisories/openclaw-timing-attack-via-hook-token-comparison"
],
"cvss_score": 4.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28475",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28474",
"severity": "critical",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable ...",
"description": "OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and gain unauthorized access to restricted conversations.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:21.423",
"references": [
"https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r",
"https://www.vulncheck.com/advisories/openclaw-nextcloud-talk-allowlist-bypass-via-actorname-display-name-spoofing"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28474",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28473",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with...",
"description": "OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway client, bypassing the operator.approvals permission check that protects direct RPC calls.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:21.220",
"references": [
"https://github.com/openclaw/openclaw/commit/efe2a464afcff55bb5a95b959e6bd9ec0fef086e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mqpw-46fh-299h",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-approve-chat-command"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28473",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28472",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handsha...",
"description": "OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:21.017",
"references": [
"https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459",
"https://www.vulncheck.com/advisories/openclaw-device-identity-check-bypass-in-gateway-websocket-connect-handshake"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28472",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28471",
"severity": "medium",
"type": "improper_authentication",
"nvd_category_id": "CWE-287",
"title": "OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contai...",
"description": "OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender display names and localparts without homeserver validation. Remote Matrix users can impersonate allowed identities by using attacker-controlled display names or matching localparts from different homeservers to reach the routing and agent pipeline.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:20.817",
"references": [
"https://github.com/openclaw/openclaw/commit/8f3bfbd1c4fb967a2ddb5b4b9a05784920814bcf",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rmxw-jxxx-4cpc",
"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-displayname-and-cross-homeserver-localpart-matching-in-matrix"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28471",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28470",
"severity": "critical",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vul...",
"description": "OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside double-quoted strings to execute unauthorized commands.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:20.607",
"references": [
"https://github.com/openclaw/openclaw/commit/d1ecb46076145deb188abcba8f0699709ea17198",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3hcm-ggvf-rch5",
"https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-command-substitution-in-double-quotes"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28470",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28469",
"severity": "high",
"type": "insecure_direct_object_reference",
"nvd_category_id": "CWE-639",
"title": "OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat moni...",
"description": "OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:20.407",
"references": [
"https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248",
"https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28469",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28468",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser...",
"description": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:20.197",
"references": [
"https://github.com/openclaw/openclaw/commit/4711a943e30bc58016247152ba06472dab09d0b0",
"https://github.com/openclaw/openclaw/commit/6dd6bce997c48752134f2d6ed89b27de01ced7e3",
"https://github.com/openclaw/openclaw/commit/cd84885a4ac78eadb7bf321aae98db9519426d67"
],
"cvss_score": 7.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28468",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (7.7); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28467",
"severity": "medium",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachmen...",
"description": "OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can trigger SSRF to internal resources and exfiltrate fetched response bytes as outbound attachments.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:19.997",
"references": [
"https://github.com/openclaw/openclaw/commit/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae",
"https://github.com/openclaw/openclaw/commit/9bd64c8a1f91dda602afc1d5246a2ff2be164647",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wfp2-v9c7-fh79"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28467",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28466",
"severity": "critical",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to san...",
"description": "OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject approval control fields to execute arbitrary commands on connected node hosts, potentially compromising developer workstations and CI runners.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:19.790",
"references": [
"https://github.com/openclaw/openclaw/commit/0af76f5f0e93540efbdf054895216c398692afcd",
"https://github.com/openclaw/openclaw/commit/318379cdb8d045da0009b0051bd0e712e5c65e2d",
"https://github.com/openclaw/openclaw/commit/a7af646fdab124a7536998db6bd6ad567d2b06b0"
],
"cvss_score": 9.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28466",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28465",
"severity": "medium",
"type": "unknown_cwe_290",
"nvd_category_id": "CWE-290",
"title": "OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerabili...",
"description": "OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:19.593",
"references": [
"https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x",
"https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28465",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28464",
"severity": "medium",
"type": "unknown_cwe_208",
"nvd_category_id": "CWE-208",
"title": "OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validati...",
"description": "OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually determine the authentication token.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:19.393",
"references": [
"https://github.com/openclaw/openclaw/commit/113ebfd6a23c4beb8a575d48f7482593254506ec",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jmm5-fvh5-gf4p",
"https://www.vulncheck.com/advisories/openclaw-timing-attack-in-hooks-token-authentication"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28464",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28463",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approv...",
"description": "OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or through prompt-injection attacks can exploit safe binaries like head, tail, or grep with glob patterns or environment variables to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:19.127",
"references": [
"https://github.com/openclaw/openclaw/commit/77b89719d5b7e271f48b6f49e334a8b991468c3b",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-shell-expansion-in-safe-bins-allowlist"
],
"cvss_score": 8.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28463",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28462",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it ...",
"description": "OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in POST /trace/stop, POST /wait/download, and POST /download endpoints to write files outside intended temp roots.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:18.873",
"references": [
"https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gq9c-wg68-gwj2",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-in-trace-and-download-output-paths"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28462",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28459",
"severity": "high",
"type": "unknown_cwe_73",
"nvd_category_id": "CWE-73",
"title": "OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authe...",
"description": "OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append data repeatedly, potentially causing configuration corruption or denial of service.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:18.670",
"references": [
"https://github.com/openclaw/openclaw/commit/25950bcbb8ba4d8cde002557f6e27c219ae4deda",
"https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28459",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28458",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extensio...",
"description": "OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:18.457",
"references": [
"https://github.com/openclaw/openclaw/commit/a1e89afcc19efd641c02b24d66d689f181ae2b5c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mr32-vwc2-5j6h",
"https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser-relay-cdp-websocket-endpoint"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28458",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28457",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirrori...",
"description": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences like ../ or absolute paths in the name field can write files outside the sandbox workspace root directory.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:18.227",
"references": [
"https://github.com/openclaw/openclaw/commit/3eb6a31b6fcf8268456988bfa8e3637d373438c2",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xw4p-pw82-hqr7",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-in-sandbox-skill-mirroring-via-name-parameter"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28457",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28456",
"severity": "high",
"type": "unknown_cwe_427",
"nvd_category_id": "CWE-427",
"title": "OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it doe...",
"description": "OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification access can load and execute unintended local modules in the Node.js process.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:18.020",
"references": [
"https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd6584ce",
"https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888"
],
"cvss_score": 7.2,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28456",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.2); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28454",
"severity": "high",
"type": "unknown_cwe_345",
"nvd_category_id": "CWE-345",
"title": "OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must ...",
"description": "OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:17.817",
"references": [
"https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930",
"https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670",
"https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28454",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28453",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, all...",
"description": "OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction boundaries, potentially enabling configuration tampering and code execution.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:17.617",
"references": [
"https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-p25h-9q54-ffvw",
"https://www.vulncheck.com/advisories/openclaw-zip-slip-path-traversal-in-tar-archive-extraction"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28453",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28452",
"severity": "medium",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive...",
"description": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:17.410",
"references": [
"https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea",
"https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj"
],
"cvss_score": 5.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28452",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.5); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28451",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feis...",
"description": "OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls through direct manipulation or prompt injection to trigger requests to internal services and re-upload responses as Feishu media.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:17.210",
"references": [
"https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-x22m-j5qq-j49m",
"https://www.vulncheck.com/advisories/openclaw-ssrf-via-feishu-extension-media-fetching"
],
"cvss_score": 8.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28451",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.3); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28450",
"severity": "medium",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated H...",
"description": "OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key when the gateway HTTP port is accessible beyond localhost.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:17.003",
"references": [
"https://github.com/openclaw/openclaw/commit/647d929c9d0fd114249230d939a5cb3b36dc70e7",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mv9j-6xhh-g383",
"https://www.vulncheck.com/advisories/openclaw-unauthenticated-profile-tampering-via-nostr-plugin-http-endpoints"
],
"cvss_score": 6.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28450",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.8); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28448",
"severity": "high",
"type": "improper_authorization",
"nvd_category_id": "CWE-285",
"title": "OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be ...",
"description": "OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can mention the bot in Twitch chat to bypass access control and invoke the agent pipeline, potentially causing unintended actions or resource exhaustion.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:16.803",
"references": [
"https://github.com/openclaw/openclaw/commit/8c7901c984866a776eb59662dc9d8b028de4f0d0",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-33rq-m5x2-fvgf",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-twitch-plugin-allowfrom-access-control"
],
"cvss_score": 7.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28448",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28447",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugi...",
"description": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files outside the intended installation directory when victims run the plugins install command.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:16.600",
"references": [
"https://github.com/openclaw/openclaw/commit/d03eca8450dc493b198a88b105fd180895238e57",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qrq5-wjgg-rvqw",
"https://www.vulncheck.com/advisories/openclaw-beta-path-traversal-in-plugin-installation-via-package-name"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28447",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28446",
"severity": "critical",
"type": "unknown_cwe_303",
"nvd_category_id": "CWE-303",
"title": "OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an a...",
"description": "OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers can bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits to reach the voice-call agent and execute tools.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:16.390",
"references": [
"https://github.com/openclaw/openclaw/commit/f8dfd034f5d9235c5485f492a9e4ccc114e97fdb",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x",
"https://www.vulncheck.com/advisories/openclaw-inbound-allowlist-policy-bypass-in-voice-call-extension-via-empty-caller-id"
],
"cvss_score": 9.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28446",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.4); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28395",
"severity": "medium",
"type": "unknown_cwe_1327",
"nvd_category_id": "CWE-1327",
"title": "OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in...",
"description": "OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:16.173",
"references": [
"https://github.com/openclaw/openclaw/commit/8d75a496bf5aaab1755c56cf48502d967c75a1d0",
"https://github.com/openclaw/openclaw/commit/a1e89afcc19efd641c02b24d66d689f181ae2b5c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qw99-grcx-4pvm"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28395",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28394",
"severity": "medium",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool...",
"description": "OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into fetching malicious URLs with pathological HTML structures to exhaust server memory and cause service unavailability.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:15.973",
"references": [
"https://github.com/openclaw/openclaw/commit/166cf6a3e04c7df42bea70a7ad5ce2b9df46d147",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-p536-vvpp-9mc8",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-response-parsing-in-web-fetch-tool"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28394",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28393",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook tran...",
"description": "OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute malicious modules with gateway process privileges.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:openclaw:openclaw:2.0.0:beta3:*:*:*:node.js:*:*",
"cpe:2.3:a:openclaw:openclaw:2.0.0:beta4:*:*:*:node.js:*:*",
"cpe:2.3:a:openclaw:openclaw:2.0.0:beta5:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:15.767",
"references": [
"https://github.com/openclaw/openclaw/commit/18e8bd68c5015a894f999c6d5e6e32468965bfb5",
"https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7xhj-55q9-pc3m"
],
"cvss_score": 7.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28393",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.7); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28392",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash...",
"description": "OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open (must be configured). Attackers can execute privileged slash commands via direct message to bypass allowlist and access-group restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:15.567",
"references": [
"https://github.com/openclaw/openclaw/commit/f19eabee54c49e9a2e264b4965edf28a2f92e657",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32w",
"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-in-slack-slash-command-handler-via-direct-messages"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28392",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28391",
"severity": "critical",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allo...",
"description": "OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non-default configuration), allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...% to execute unapproved commands beyond the allowlisted operations.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:15.360",
"references": [
"https://github.com/openclaw/openclaw/commit/a7f4a53ce80c98ba1452eb90802d447fca9bf3d6",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qj77-c3c8-9c3q",
"https://www.vulncheck.com/advisories/openclaw-command-injection-via-cmdexe-parsing-bypass-in-allowlist-enforcement"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28391",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28363",
"severity": "critical",
"type": "unknown_cwe_184",
"nvd_category_id": "CWE-184",
"title": "In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long...",
"description": "In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-27T04:16:03.227",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78"
],
"cvss_score": 9.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28363",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27576",
"severity": "medium",
"type": "uncontrolled_resource_consumption",
"nvd_category_id": "CWE-400",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very la...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very large prompt text blocks and can assemble oversized prompt payloads before forwarding them to chat.send. Because ACP runs over local stdio, this mainly affects local ACP clients (for example IDE integrations) that send unusually large inputs. This issue has been fixed in version 2026.2.19.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:13.437",
"references": [
"https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c",
"https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68",
"https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a"
],
"cvss_score": 4.0,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27576",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.0); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27488",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/g...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:13.267",
"references": [
"https://github.com/openclaw/openclaw/commit/99db4d13e5c139883ef0def9ff963e9273179655",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.19",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w45g-5746-x9fp"
],
"cvss_score": 7.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27488",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27487",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude C...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:13.100",
"references": [
"https://github.com/openclaw/openclaw/commit/66d7178f2d6f9d60abad35797f97f3e61389b70c",
"https://github.com/openclaw/openclaw/commit/9dce3d8bf83f13c067bc3c32291643d2f1f10a06",
"https://github.com/openclaw/openclaw/commit/b908388245764fb3586859f44d1dff5372b19caf"
],
"cvss_score": 7.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27487",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.6); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27486",
"severity": "medium",
"type": "unknown_cwe_283",
"nvd_category_id": "CWE-283",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the proces...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw process. On shared hosts, unrelated processes can be terminated if they match the pattern. The CLI runner cleanup helpers can kill processes matched by command-line patterns without validating process ownership. This issue has been fixed in version 2026.2.14.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:12.903",
"references": [
"https://github.com/openclaw/openclaw/commit/6084d13b956119e3cf95daaf9a1cae1670ea3557",
"https://github.com/openclaw/openclaw/commit/eb60e2e1b213740c3c587a7ba4dbf10da620ca66",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27486",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27485",
"severity": "medium",
"type": "unknown_cwe_61",
"nvd_category_id": "CWE-61",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/p...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. If exploited, this vulnerability can lead to potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact, but requires local execution of the packaging script on attacker-controlled skill contents. This issue has been fixed in version 2026.2.18.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:12.723",
"references": [
"https://github.com/openclaw/openclaw/commit/c275932aa4230fb7a8212fe1b9d2a18424874b3f",
"https://github.com/openclaw/openclaw/commit/ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0",
"https://github.com/openclaw/openclaw/pull/20796"
],
"cvss_score": 4.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27485",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.4); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27484",
"severity": "medium",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action ...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user can request moderation actions by spoofing sender identity fields. This issue has been fixed in version 2026.2.18.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:12.557",
"references": [
"https://github.com/openclaw/openclaw/commit/775816035ecc6bb243843f8000c9a58ff609e32d",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.19",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wh94-p5m6-mr7j"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27484",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27009",
"severity": "medium",
"type": "cross_site_scripting",
"nvd_category_id": "CWE-79",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw ...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `<script>` tag without script-context-safe escaping. A crafted value containing `</script>` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts).",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:17.620",
"references": [
"https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e",
"https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
],
"cvss_score": 5.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27009",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.8); requires local access; XSS has limited impact in headless agents",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27008",
"severity": "medium",
"type": "unknown_cwe_73",
"nvd_category_id": "CWE-73",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installat...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only `skills.install` flow, this could write files outside the intended install sandbox. Version 2026.2.15 contains a fix for the issue.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:17.460",
"references": [
"https://github.com/openclaw/openclaw/commit/2363e1b0853a028e47f90dcc1066e3e9809d65f1",
"https://github.com/openclaw/openclaw/commit/b6305e97256d67e439719faacf5af3de9727d6e1",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
],
"cvss_score": 6.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27008",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.7); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27007",
"severity": "low",
"type": "unknown_cwe_1254",
"nvd_category_id": "CWE-1254",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/s...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker `dns` and `binds` array order) could be treated as unchanged and stale containers could be reused. This is a configuration integrity issue affecting sandbox recreation behavior. Starting in version 2026.2.15, array ordering is preserved during hash normalization; only object key ordering remains normalized for deterministic hashing.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:17.303",
"references": [
"https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp"
],
"cvss_score": 3.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27007",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.3); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27004",
"severity": "medium",
"type": "unknown_cwe_209",
"nvd_category_id": "CWE-209",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, O...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally trusted. In Telegram webhook mode, monitor startup also did not fall back to per-account `webhookSecret` when only the account-level secret was configured. In shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. In single-agent or trusted environments, practical impact is limited. In Telegram webhook mode, account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided. Version 2026.2.15 fixes the issue.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:17.140",
"references": [
"https://github.com/openclaw/openclaw/commit/c6c53437f7da033b94a01d492e904974e7bda74c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6hf3-mhgc-cm65"
],
"cvss_score": 5.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27004",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.5); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27003",
"severity": "medium",
"type": "unknown_cwe_522",
"nvd_category_id": "CWE-522",
"title": "OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack trac...",
"description": "OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles. Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access. Users should upgrade to version 2026.2.15 to obtain a fix and rotate the Telegram bot token if it may have been exposed.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:16.983",
"references": [
"https://github.com/openclaw/openclaw/commit/cf69907015b659e5025efb735ee31bd05c4ee3d5",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-chf7-jq6g-qrwv"
],
"cvss_score": 5.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27003",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.5); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27002",
"severity": "critical",
"type": "execution_with_unnecessary_privileges",
"nvd_category_id": "CWE-250",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in ...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 blocks dangerous sandbox Docker settings and includes runtime enforcement when building `docker create` args; config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`; and security audit findings to surface dangerous sandbox docker config. As a workaround, do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`, and do not use `unconfined` for seccomp/AppArmor profiles.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:16.827",
"references": [
"https://github.com/openclaw/openclaw/commit/887b209db47f1f9322fead241a1c0b043fd38339",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w235-x559-36mg"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27002",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27001",
"severity": "high",
"type": "command_injection",
"nvd_category_id": "CWE-77",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current worki...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:16.653",
"references": [
"https://github.com/openclaw/openclaw/commit/6254e96acf16e70ceccc8f9b2abecee44d606f79",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2qj5-gwg2-xwc4"
],
"cvss_score": 7.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27001",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.8); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26972",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser downl...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory. This issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token. Version 2026.2.13 fixes the issue.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:16.500",
"references": [
"https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.13",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xwjm-j929-xq7c"
],
"cvss_score": 6.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26972",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.7); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26329",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read ar...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root. An attacker must reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints); present valid Gateway auth (bearer token / password), as required by the Gateway configuration (In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback); and have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled). If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly. Starting in version 2026.2.14, the upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:15.687",
"references": [
"https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26329",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26328",
"severity": "medium",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowli...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:15.523",
"references": [
"https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26328",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26327",
"severity": "medium",
"type": "unknown_cwe_345",
"nvd_category_id": "CWE-345",
"title": "OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records...",
"description": "OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthenticated. Prior to version 2026.2.14, some clients treated TXT values as authoritative routing/pinning inputs. iOS and macOS used TXT-provided host hints (`lanHost`/`tailnetDns`) and ports (`gatewayPort`) to build the connection URL. iOS and Android allowed the discovery-provided TLS fingerprint (`gatewayTlsSha256`) to override a previously stored TLS pin. On a shared/untrusted LAN, an attacker could advertise a rogue `_openclaw-gw._tcp` service. This could cause a client to connect to an attacker-controlled endpoint and/or accept an attacker certificate, potentially exfiltrating Gateway credentials (`auth.token` / `auth.password`) during connection. As of time of publication, the iOS and Android apps are alpha/not broadly shipped (no public App Store / Play Store release). Practical impact is primarily limited to developers/testers running those builds, plus any other shipped clients relying on discovery on a shared/untrusted LAN. Version 2026.2.14 fixes the issue. Clients now prefer the resolved service endpoint (SRV + A/AAAA) over TXT-provided routing hints. Discovery-provided fingerprints no longer override stored TLS pins. In iOS/Android, first-time TLS pins require explicit user confirmation (fingerprint shown; no silent TOFU) and discovery-based direct connects are TLS-only. In Android, hostname verification is no longer globally disabled (only bypassed when pinning).",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:26.100",
"references": [
"https://github.com/openclaw/openclaw/commit/d583782ee322a6faa1fe87ae52455e0d349de586",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-pv58-549p-qh99"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26327",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26326",
"severity": "medium",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secr...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secrets to `operator.read` clients by returning raw resolved config values in `configChecks` for skill `requires.config` paths. Version 2026.2.14 stops including raw resolved config values in requirement checks (return only `{ path, satisfied }`) and narrows the Discord skill requirement to the token key. In addition to upgrading, users should rotate any Discord tokens that may have been exposed to read-scoped clients.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.950",
"references": [
"https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a",
"https://github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26326",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26325",
"severity": "high",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation).",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.800",
"references": [
"https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476"
],
"cvss_score": 7.2,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26325",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.2); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26324",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0.0.1`). This could allow requests that should be blocked (loopback / private network / link-local metadata) to pass the SSRF guard. Version 2026.2.14 patches the issue.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.653",
"references": [
"https://github.com/openclaw/openclaw/commit/c0c0e0f9aecb913e738742f73e091f2f72d39a19",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26324",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26323",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in...",
"description": "OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout that contains a malicious commit author email (e.g. crafted `@users[.]noreply[.]github[.]com` values). Normal CLI usage is not affected (`npm i -g openclaw`): this script is not part of the shipped CLI and is not executed during routine operation. The script derived a GitHub login from `git log` author metadata and interpolated it into a shell command (via `execSync`). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run. Version 2026.2.14 contains a patch.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.500",
"references": [
"https://github.com/openclaw/openclaw/commit/a429380e337152746031d290432a4b93aa553d55",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-m7x8-2w3w-pr42"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26323",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26322",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted ...",
"description": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators. In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls. Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs). In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible. Starting in version 2026.2.14, tool-supplied `gatewayUrl` overrides are restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.340",
"references": [
"https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf"
],
"cvss_score": 7.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26322",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.6); network accessible; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26321",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previ...",
"description": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd` as `mediaUrl`. Upgrade to OpenClaw `2026.2.14` or newer to receive a fix. The fix removes direct local file reads from this path and routes media loading through hardened helpers that enforce local-root restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.180",
"references": [
"https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26321",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26320",
"severity": "medium",
"type": "unknown_cwe_451",
"nvd_category_id": "CWE-451",
"title": "OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL s...",
"description": "OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked \"Run.\" At the time of writing, the OpenClaw macOS desktop client is still in beta. In versions 2026.2.6 through 2026.2.13, an attacker could pad the message with whitespace to push a malicious payload outside the visible preview, increasing the chance a user approves a different message than the one that is actually executed. If a user runs the deep link, the agent may perform actions that can lead to arbitrary command execution depending on the user's configured tool approvals/allowlists. This is a social-engineering mediated vulnerability: the confirmation prompt could be made to misrepresent the executed message. The issue is fixed in 2026.2.14. Other mitigations include not approve unexpected \"Run OpenClaw agent?\" prompts triggered while browsing untrusted sites and usingunattended deep links only with a valid `key` for trusted personal automations.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.017",
"references": [
"https://github.com/openclaw/openclaw/commit/28d9dd7a772501ccc3f71457b4adfee79084fe6f",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7q2j-c4q5-rm27"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26320",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26319",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice...",
"description": "OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are expected to be authenticated via Ed25519 signature verification. In affected versions, TelnyxProvider.verifyWebhook() could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy). The issue has been fixed in version 2026.2.14.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:24.857",
"references": [
"https://github.com/openclaw/openclaw/commit/29b587e73cbdc941caec573facd16e87d52f007b",
"https://github.com/openclaw/openclaw/commit/f47584fec86d6d73f2d483043a2ad0e7e3c50411",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26319",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26317",
"severity": "high",
"type": "cross_site_request_forgery",
"nvd_category_id": "CWE-352",
"title": "OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes ac...",
"description": "OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T22:16:47.270",
"references": [
"https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26317",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26316",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel p...",
"description": "OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Version 2026.2.13 contains a patch. Other mitigations include setting a non-empty BlueBubbles webhook password and avoiding deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T22:16:47.110",
"references": [
"https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a",
"https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.13"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26316",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-25474",
"severity": "high",
"type": "unknown_cwe_345",
"nvd_category_id": "CWE-345",
"title": "OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSe...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegrams secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id). If an attacker can reach the webhook endpoint, they may be able to send forged updates that are processed as if they came from Telegram. Depending on enabled commands/tools and configuration, this could lead to unintended bot actions. Note: Telegram webhook mode is not enabled by default. It is enabled only when `channels.telegram.webhookUrl` is configured. This issue has been fixed in version 2026.2.1.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T07:17:45.847",
"references": [
"https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930",
"https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670",
"https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25474",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-24764",
"severity": "low",
"type": "unknown_cwe_74",
"nvd_category_id": "CWE-74",
"title": "OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions ...",
"description": "OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven systems. This issue increases the injection surface by allowing untrusted Slack channel metadata to be treated as higher-trust system input. This issue has been fixed in version 2026.2.3.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T07:17:44.957",
"references": [
"https://github.com/openclaw/openclaw/commit/35eb40a7000b59085e9c638a80fd03917c7a095e",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.3",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-782p-5fr5-7fj8"
],
"cvss_score": 3.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24764",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.7); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-25593",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use t...",
"description": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-06T21:16:17.790",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg"
],
"cvss_score": 8.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25593",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-25475",
"severity": "medium",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-04T20:16:07.287",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r8g4-86fx-92mq"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25475",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-25157",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vu...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-04T20:16:06.577",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585"
],
"cvss_score": 7.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25157",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.7); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-24763",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026....",
"description": "OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaws Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-02T23:16:08.593",
"references": [
"https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75",
"https://github.com/openclaw/openclaw/releases/tag/v2026.1.29",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24763",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-25253",
"severity": "high",
"type": "incorrect_resource_transfer_between_spheres",
"nvd_category_id": "CWE-669",
"title": "OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string a...",
"description": "OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-01T23:15:49.717",
"references": [
"https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys",
"https://ethiack.com/news/blog/one-click-rce-moltbot",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink