Filtered by vendor Openclaw
Subscriptions
Filtered by product Openclaw
Subscriptions
Total
194 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22169 | 1 Openclaw | 1 Openclaw | 2026-03-19 | 6.4 Medium |
| OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.safeBins, remote attackers can bypass intended safe-bin approval constraints by leveraging the compress-program parameter to execute unauthorized external programs. | ||||
| CVE-2026-22168 | 1 Openclaw | 1 Openclaw | 2026-03-19 | 6.5 Medium |
| OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. Attackers can smuggle malicious arguments through cmd.exe /c to achieve local command execution on trusted Windows nodes with mismatched audit logs. | ||||
| CVE-2026-27670 | 1 Openclaw | 1 Openclaw | 2026-03-19 | 5.3 Medium |
| OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root. | ||||
| CVE-2026-27524 | 1 Openclaw | 1 Openclaw | 2026-03-18 | 3.1 Low |
| OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to manipulate object prototypes and bypass command gate restrictions. | ||||
| CVE-2026-27545 | 1 Openclaw | 1 Openclaw | 2026-03-18 | 6.1 Medium |
| OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker can modify mutable parent symlink path components between approval and execution time to redirect command execution to a different location while preserving the visible working directory string. | ||||
| CVE-2026-22217 | 1 Openclaw | 1 Openclaw | 2026-03-18 | 5.3 Medium |
| OpenClaw version 2026.2.22 prior to 2026.2.23 contain an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL environment variable on systems with writable trusted-prefix directories such as /opt/homebrew/bin to execute arbitrary binaries in the OpenClaw process context. | ||||
| CVE-2026-27522 | 1 Openclaw | 1 Openclaw | 2026-03-18 | 6.5 Medium |
| OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user. | ||||
| CVE-2026-27523 | 1 Openclaw | 1 Openclaw | 2026-03-18 | 6.1 Medium |
| OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind source paths that appear within allowed roots but resolve outside sandbox boundaries once missing leaf components are created, weakening bind-source isolation enforcement. | ||||
| CVE-2026-28470 | 1 Openclaw | 1 Openclaw | 2026-03-17 | 8.1 High |
| OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside double-quoted strings to execute unauthorized commands. | ||||
| CVE-2026-28479 | 1 Openclaw | 1 Openclaw | 2026-03-17 | 7.5 High |
| OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be misinterpreted as another and enabling unsafe sandbox state reuse. | ||||
| CVE-2026-28480 | 1 Openclaw | 1 Openclaw | 2026-03-17 | 6.5 Medium |
| OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders. | ||||
| CVE-2026-30741 | 1 Openclaw | 2 Agent Platform, Openclaw | 2026-03-17 | 9.8 Critical |
| A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack. | ||||
| CVE-2026-32061 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 4.4 Medium |
| OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials. | ||||
| CVE-2026-32063 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 7.1 High |
| OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user. | ||||
| CVE-2026-32060 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 8.8 High |
| OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files. | ||||
| CVE-2026-32059 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 8.8 High |
| OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options to skip approval requirements in allowlist mode. | ||||
| CVE-2026-32062 | 1 Openclaw | 2 Openclaw, Voice-call | 2026-03-12 | 7.5 High |
| OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams. | ||||
| CVE-2026-28471 | 1 Openclaw | 1 Openclaw | 2026-03-11 | 5.3 Medium |
| OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender display names and localparts without homeserver validation. Remote Matrix users can impersonate allowed identities by using attacker-controlled display names or matching localparts from different homeservers to reach the routing and agent pipeline. | ||||
| CVE-2026-28473 | 1 Openclaw | 1 Openclaw | 2026-03-11 | 8.1 High |
| OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway client, bypassing the operator.approvals permission check that protects direct RPC calls. | ||||
| CVE-2026-28475 | 1 Openclaw | 1 Openclaw | 2026-03-11 | 4.8 Medium |
| OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually recover the authentication token. | ||||