An automated tracker that continuously monitors OpenClaw security advisories across the GitHub Advisory Database, repo-level security advisories, and a full scan of the CVE V5 (cvelistV5) registry covering every CVE affecting OpenClaw regardless of which CNA assigned it. On each run it pulls the latest data, reconciles GHSA → CVE publication state, breaks the totals down by assigning CNA, and regenerates this dashboard so you always have an up-to-date picture of the project's vulnerability landscape.
Last updated: 2026-07-06 15:41 UTC · MIT License · Full Advisory List · Security Policy · Data: cvelistV5 + Advisory DB · Updates every 6h
All CVEs by CNA · Published CVEs · Pipeline · Advisories · Categories · Insights · Identity
| Field | Value |
|---|---|
| Current Name | OpenClaw |
| Previous Names | Moltbot (second name), Clawdbot (original name) |
| Repository | openclaw/openclaw |
| npm Package | openclaw (formerly clawdbot) |
| Author | Peter Steinberger (steipete) |
Search terms for CVE discovery
To find all CVEs, search for: openclaw, clawdbot, moltbot, clawhub, pkg:npm/clawdbot, pkg:npm/openclaw
The sections lower down track CVEs that have an OpenClaw GitHub Security Advisory — i.e. CVEs the project issued itself. That is only part of the picture. A direct scan of the authoritative CVE List V5 registry finds 543 CVEs that name OpenClaw as an affected product, the large majority assigned by third-party researchers rather than the project. Earlier versions of this tracker reported only the ~51 project-issued (GHSA-linked) CVEs and were blind to this external stream.
| Count | |
|---|---|
| Total OpenClaw CVEs (all CNAs) | 543 |
| Project-issued (GitHub as CNA) | 34 |
| Third-party-issued (VulnCheck, ZDI, MITRE, …) | 509 |
| CNA | CVEs | Share |
|---|---|---|
| VulnCheck | 500 | 92.1% |
| GitHub_M | 34 | 6.3% |
| VulDB | 4 | 0.7% |
| zdi | 3 | 0.6% |
| mitre | 2 | 0.4% |
The steady third-party (VulnCheck-led) disclosure cadence across 2026:
| Month | CVEs | |
|---|---|---|
| 2026-02 | 35 | ████ |
| 2026-03 | 198 | ████████████████████ |
| 2026-04 | 174 | ██████████████████ |
| 2026-05 | 75 | ████████ |
| 2026-06 | 61 | ██████ |
Methodology: generated by
reconcile_cnas.py, which scans every record in CVEProject/cvelistV5 and selects those whosecontainers.cna.affected[].vendoror.productisopenclaw(case-insensitive), or that referencegithub.com/openclaw/openclaw.REJECTEDrecords are excluded. VulnCheck is by far the dominant CNA — its researchers drive the bulk of OpenClaw disclosures. The GHSA-based sections below cover the project's own advisories and are unchanged. Full reconciled set:openclaw-cves-all.json· aggregates:cna-breakdown.json.
These CVEs have full records in the CVEProject/cvelistV5 repository:
| CVE ID | Severity | CVSS | Title | CWE | Published |
|---|---|---|---|---|---|
| CVE-2026-24763 | 8.8 | OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable | CWE-78 | 2026-02-02 | |
| CVE-2026-25253 | 8.8 | OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl | CWE-669 | 2026-02-01 | |
| CVE-2026-28478 | 8.7 | OpenClaw affected by denial of service via unbounded webhook request body buffering | CWE-770 | 2026-03-05 | |
| CVE-2026-53819 | 8.7 | OpenClaw: Workspace .env could override Homebrew executable selection for skill install flows | CWE-426 | 2026-06-11 | |
| CVE-2026-53814 | 8.7 | OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority | CWE-266 | 2026-06-11 | |
| CVE-2026-53817 | 8.7 | OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing | CWE-290 | 2026-06-11 | |
| CVE-2026-53843 | 8.7 | OpenClaw: Pairing-scoped device session could restore revoked node token authority | CWE-613 | 2026-06-16 | |
| CVE-2026-53816 | 8.6 | OpenClaw < 2026.5.18 - Exec Lifecycle Event Forgery via Paired Node | CWE-862 | 2026-06-11 | |
| CVE-2026-53849 | 8.6 | OpenClaw: Discord allowFrom could bind to mutable display names | CWE-290 | 2026-06-16 | |
| CVE-2026-53857 | 8.6 | OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy | CWE-290 | 2026-06-16 | |
| CVE-2026-28469 | 8.2 | OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting | CWE-639 | 2026-03-05 | |
| CVE-2026-35630 | 8 | OpenClaw: QQBot native approval buttons did not enforce configured approver identity | CWE-862 | 2026-05-29 | |
| CVE-2026-25157 | 7.8 | OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand | CWE-78 | 2026-02-04 | |
| CVE-2026-53810 | 7.7 | OpenClaw's marketplace runtime extension metadata could point at unscanned payloads | CWE-829 | 2026-06-11 | |
| CVE-2026-53806 | 7.7 | OpenClaw < 2026.5.12 - Shell Option Parsing Bypass in Exec Revalidation | CWE-367 | 2026-06-11 | |
| CVE-2026-53811 | 7.7 | OpenClaw: Matrix allowFrom could bind to mutable display names | CWE-290 | 2026-06-11 | |
| CVE-2026-53855 | 7.6 | OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks | CWE-184, CWE-863 | 2026-06-16 | |
| CVE-2026-53853 | 7.6 | OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns | CWE-693, CWE-863 | 2026-06-16 | |
| CVE-2026-53866 | 7.6 | OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing | CWE-862 | 2026-06-16 | |
| CVE-2026-53864 | 7.6 | OpenClaw: Host environment sanitizer missed two Node.js control variables | CWE-184 | 2026-06-16 | |
| CVE-2026-28458 | 7.4 | OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access | CWE-306 | 2026-03-05 | |
| CVE-2026-53813 | 7.3 | OpenClaw: Fake package roots could influence memory-core artifact loading | CWE-427 | 2026-06-11 | |
| CVE-2026-53865 | 7.2 | OpenClaw: Workspace-derived service PATH could influence trash command selection | CWE-426 | 2026-06-16 | |
| CVE-2026-26317 | 7.1 | OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints | CWE-352 | 2026-02-19 | |
| CVE-2026-53815 | 7.1 | OpenClaw < 2026.5.19 - Channel Allowlist Bypass in Message Read Actions | CWE-862 | 2026-06-11 | |
| CVE-2026-53842 | 7 | OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution | CWE-426 | 2026-06-16 | |
| CVE-2026-53846 | 7 | OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install | CWE-426 | 2026-06-16 | |
| CVE-2026-53858 | 7 | OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots | CWE-426 | 2026-06-16 | |
| CVE-2026-28480 | 6.9 | OpenClaw Telegram allowlist authorization accepted mutable usernames | CWE-290 | 2026-03-05 | |
| CVE-2026-53818 | 6.9 | OpenClaw < 2026.4.24 - Owner-Only Tool Policy Bypass via MCP Loopback | CWE-862 | 2026-06-11 | |
| CVE-2026-29612 | 6.8 | OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding | CWE-770 | 2026-03-05 | |
| CVE-2026-53850 | 6.8 | OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command | CWE-862 | 2026-06-16 | |
| CVE-2026-28452 | 6.7 | OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) | CWE-770 | 2026-03-05 | |
| CVE-2026-26328 | 6.5 | OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities | CWE-284, CWE-863 | 2026-02-19 | |
| CVE-2026-53851 | 6.3 | OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass | CWE-862 | 2026-06-16 | |
| CVE-2026-53840 | 6 | OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin | CWE-522 | 2026-06-16 | |
| CVE-2026-53844 | 6 | OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search | CWE-862 | 2026-06-16 | |
| CVE-2026-53854 | 6 | OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state | CWE-863 | 2026-06-16 | |
| CVE-2026-53863 | 6 | OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy | CWE-639 | 2026-06-16 | |
| CVE-2026-53859 | 6 | OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency | CWE-1023, CWE-918 | 2026-06-16 | |
| CVE-2026-53856 | 5.7 | OpenClaw: Config recovery could restore openclaw.json with broad file permissions | CWE-732 | 2026-06-16 | |
| CVE-2026-53847 | 5.3 | OpenClaw < 2026.5.6 - Privilege Escalation via Active Memory Write Scope | CWE-266 | 2026-06-16 | |
| CVE-2026-53861 | 5.3 | OpenClaw < 2026.5.6 - Allowlist Bypass via Combined POSIX Inline Flags on macOS | CWE-184 | 2026-06-16 | |
| CVE-2026-53812 | 4.9 | OpenClaw's browser act interactions could bypass private-network navigation checks | CWE-918 | 2026-06-11 | |
| CVE-2026-53809 | 4.8 | OpenClaw < 2026.4.25 - Provider Alias Confusion in Embedded Runner Policy | CWE-863 | 2026-06-11 | |
| CVE-2026-53845 | 2.3 | OpenClaw: Skill-command dispatch could skip before-tool-call hooks | CWE-693 | 2026-06-16 | |
| CVE-2026-53852 | 2.3 | OpenClaw < 2026.4.25 - Scope Bypass via Empty-Scope Device Re-pairing | CWE-636 | 2026-06-16 | |
| CVE-2026-53848 | 2.3 | OpenClaw < 2026.5.26 - Exec Allowlist Bypass via Transparent Command Wrappers | CWE-184 | 2026-06-16 | |
| CVE-2026-53860 | 2.3 | OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers | CWE-807, CWE-863 | 2026-06-16 | |
| CVE-2026-53862 | 2.3 | OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening | CWE-266, CWE-345 | 2026-06-16 | |
| CVE-2026-53841 | 2.1 | OpenClaw: Exported session HTML could keep unsafe markdown links | CWE-83 | 2026-06-16 |
📖 Detailed CVE Analysis (click to expand)
CVE-2026-24763 — OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable
| Field | Detail |
|---|---|
| CVSS | 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) |
| Affected | < 2026.1.29 |
| Vendor/Product | clawdbot / clawdbot |
| Advisory | GHSA-mc68-q9jw-2h3v |
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
Naming note: Uses old name
clawdbot/clawdbotas vendor/product. References:
- https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75
- https://github.com/openclaw/openclaw/releases/tag/v2026.1.29
CVE-2026-25253 — OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
| Field | Detail |
|---|---|
| CVSS | 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| CWE | CWE-669 (CWE-669 Incorrect Resource Transfer Between Spheres) |
| Affected | < 2026.1.29 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-g8p2-7wf7-98mq |
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
Naming note: Uses all three names in description. packageURL still references
pkg:npm/clawdbot. References:
CVE-2026-28478 — OpenClaw affected by denial of service via unbounded webhook request body buffering
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| Affected | < 2026.2.13 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-q447-rj3r-2cgh |
OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body Buffering
CVE-2026-53819 — OpenClaw: Workspace .env could override Homebrew executable selection for skill install flows
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-426 (Untrusted Search Path) |
| Affected | < 2026.5.27 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-8wg3-5mcm-fjq8 |
OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system.
References:
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
| CWE | CWE-266 (Incorrect Privilege Assignment) |
| Affected | < 2026.5.20 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-6fvr-66p3-3qj4 |
OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications.
References:
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-290 (Authentication Bypass by Spoofing) |
| Affected | < 2026.5.22 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-chr9-m4q2-76hw |
OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.
References:
| Field | Detail |
|---|---|
| CVSS | 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-613 (Insufficient Session Expiration) |
| Affected | < 2026.5.26 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-q99w-vh6v-q3v7 |
OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.
References:
| Field | Detail |
|---|---|
| CVSS | 8.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.5.18 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-3c6j-hq33-3jv4 |
OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway, steering target sessions into exec-event paths that expose capabilities the reduced node surface should not provide.
References:
| Field | Detail |
|---|---|
| CVSS | 8.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-290 (Authentication Bypass by Spoofing) |
| Affected | < 2026.5.7 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-cw4q-gqg5-g38h |
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.
References:
| Field | Detail |
|---|---|
| CVSS | 8.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-290 (Authentication Bypass by Spoofing) |
| Affected | < 2026.5.3 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-8c59-hr4w-qg69 |
OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.
References:
CVE-2026-28469 — OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
| Field | Detail |
|---|---|
| CVSS | 8.2 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-639 (Authorization Bypass Through User-Controlled Key) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rq6g-px6m-c248 |
OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Ambiguity
CVE-2026-35630 — OpenClaw: QQBot native approval buttons did not enforce configured approver identity
| Field | Detail |
|---|---|
| CVSS | 8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.5.18 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-mgq6-vr84-7m2j |
OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.
References:
| Field | Detail |
|---|---|
| CVSS | 7.8 (HIGH) — CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
| CWE | CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) |
| Affected | < 2026.1.29 |
| Vendor/Product | openclaw / openclaw |
| Advisory | GHSA-q284-4pvr-m585 |
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.
CVE-2026-53810 — OpenClaw's marketplace runtime extension metadata could point at unscanned payloads
| Field | Detail |
|---|---|
| CVSS | 7.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) |
| Affected | < 2026.5.18 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-v6r2-jh58-xx6w |
OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points, bypassing security scanning.
References:
| Field | Detail |
|---|---|
| CVSS | 7.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-vxx3-6hc9-7cc3 |
OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by using combined shell options to execute inline shell content without intended allowlist validation, potentially enabling unauthorized command execution when the affected feature is enabled.
References:
| Field | Detail |
|---|---|
| CVSS | 7.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-290 (Authentication Bypass by Spoofing) |
| Affected | < 2026.5.7 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-7hxm-f538-3xp6 |
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another Matrix identity, potentially gaining unauthorized permissions depending on operator configuration.
References:
| Field | Detail |
|---|---|
| CVSS | 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-184 (Incomplete List of Disallowed Inputs), CWE-863 (Incorrect Authorization) |
| Affected | < 2026.4.2 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-5cj2-3jr2-5h77 |
OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content.
References:
| Field | Detail |
|---|---|
| CVSS | 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
| CWE | CWE-693 (Protection Mechanism Failure), CWE-863 (Incorrect Authorization) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-v2ww-5rh7-2h5v |
OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution.
References:
| Field | Detail |
|---|---|
| CVSS | 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-f397-5vjw-v2c2 |
OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.
References:
| Field | Detail |
|---|---|
| CVSS | 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-184 (Incomplete List of Disallowed Inputs) |
| Affected | < 2026.5.26 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-ccwh-wwpp-6wg5 |
OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.
References:
CVE-2026-28458 — OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
| Field | Detail |
|---|---|
| CVSS | 7.4 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-306 (Missing Authentication for Critical Function) |
| Affected | < 2026.2.1 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-mr32-vwc2-5j6h |
OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw 2026.1.20 < 2026.2.1 - Missing Authentication in Browser Relay /cdp WebSocket Endpoint
| Field | Detail |
|---|---|
| CVSS | 7.3 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-427 (Uncontrolled Search Path Element) |
| Affected | < 2026.4.25 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-v8cx-933x-r976 |
OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected workspaces can load memory-core artifacts from unintended local locations, potentially executing malicious code or accessing sensitive data.
References:
| Field | Detail |
|---|---|
| CVSS | 7.2 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-426 (Untrusted Search Path) |
| Affected | < 2026.5.2 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rx78-29qr-5hq8 |
OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance operations by manipulating workspace-derived environment paths.
References:
CVE-2026-26317 — OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
| Field | Detail |
|---|---|
| CVSS | 7.1 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L |
| CWE | CWE-352 (CWE-352: Cross-Site Request Forgery (CSRF)) |
| Affected | <= 2026.1.24-3 |
| Vendor/Product | openclaw / clawdbot |
| Advisory | GHSA-3fqr-4cg8-h96q |
OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or Sec-Fetch-Site: cross-site). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.
Naming note: Uses old name
openclaw/clawdbotas vendor/product. References:
- https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
| Field | Detail |
|---|---|
| CVSS | 7.1 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.5.19 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-q7q8-3mgw-q67r |
OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing sensitive channel messages.
References:
CVE-2026-53842 — OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution
| Field | Detail |
|---|---|
| CVSS | 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-426 (Untrusted Search Path) |
| Affected | < 2026.5.2 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-fq9j-vw4w-fr6v |
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.
References:
CVE-2026-53846 — OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install
| Field | Detail |
|---|---|
| CVSS | 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-426 (Untrusted Search Path) |
| Affected | < 2026.4.29 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-24vr-rprv-67rf |
OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.
References:
CVE-2026-53858 — OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots
| Field | Detail |
|---|---|
| CVSS | 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-426 (Untrusted Search Path) |
| Affected | < 2026.5.2 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-wc84-j36w-pw4x |
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.
References:
| Field | Detail |
|---|---|
| CVSS | 6.9 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-290 (Authentication Bypass by Spoofing) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-mj5r-hh7j-4gxf |
OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.
References:
- Patch Commit #1
- Patch Commit #2
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Identity Spoofing via Mutable Username in Telegram Allowlist Authorization
| Field | Detail |
|---|---|
| CVSS | 6.9 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.4.24 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rj6p-xmxr-qj4h |
OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable.
References:
| Field | Detail |
|---|---|
| CVSS | 6.8 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-w2cg-vxx6-5xjg |
OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.
References:
- Patch Commit
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding
| Field | Detail |
|---|---|
| CVSS | 6.8 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.4.25 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-mpc8-jxjh-qpgh |
OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels.
References:
CVE-2026-28452 — OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
| Field | Detail |
|---|---|
| CVSS | 6.7 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| CWE | CWE-770 (Allocation of Resources Without Limits or Throttling) |
| Affected | < 2026.2.14 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-h89v-j3x9-8wqj |
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.
References:
- Patch Commit #1
- Patch Commit #2
- VulnCheck Advisory: OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction in extractArchive
CVE-2026-26328 — OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
| Field | Detail |
|---|---|
| CVSS | 6.5 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| CWE | CWE-284 (CWE-284: Improper Access Control), CWE-863 (CWE-863: Incorrect Authorization) |
| Affected | <= 2026.1.24-3 |
| Vendor/Product | openclaw / clawdbot |
| Advisory | GHSA-g34w-4xqq-h79m |
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.
Naming note: Uses old name
openclaw/clawdbotas vendor/product. References:
- https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
| Field | Detail |
|---|---|
| CVSS | 6.3 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-fcvx-5cxc-v5p8 |
OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.
References:
CVE-2026-53840 — OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-522 (Insufficiently Protected Credentials) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rjxq-qqhf-8hwh |
OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.
References:
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-862 (Missing Authorization) |
| Affected | < 2026.4.29 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-72fw-cqh5-f324 |
OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.
References:
CVE-2026-53854 — OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-863 (Incorrect Authorization) |
| Affected | < 2026.4.25 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-4hpg-mp64-x7xq |
OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.
References:
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-639 (Authorization Bypass Through User-Controlled Key) |
| Affected | < 2026.4.25 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-985f-72mj-8gf7 |
OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.
References:
| Field | Detail |
|---|---|
| CVSS | 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-1023 (Incomplete Comparison with Missing Factors), CWE-918 (Server-Side Request Forgery (SSRF)) |
| Affected | < 2026.5.26 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-gxg4-2rrr-jhc7 |
OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.
References:
- VulnCheck Advisory: OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency
| Field | Detail |
|---|---|
| CVSS | 5.7 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-732 (Incorrect Permission Assignment for Critical Resource) |
| Affected | < 2026.4.24 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-rwp6-7w3q-75fq |
OpenClaw 2026.4.23 before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the restored config file.
References:
| Field | Detail |
|---|---|
| CVSS | 5.3 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
| CWE | CWE-266 (Incorrect Privilege Assignment) |
| Affected | < 2026.5.6 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-x629-46cc-7xgw |
OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can exploit insufficient scope validation to apply unauthorized configuration changes beyond the intended write scope.
References:
| Field | Detail |
|---|---|
| CVSS | 5.3 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-184 (Incomplete List of Disallowed Inputs) |
| Affected | < 2026.5.6 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-c226-q6fx-6j6c |
OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.
References:
| Field | Detail |
|---|---|
| CVSS | 4.9 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
| CWE | CWE-918 (Server-Side Request Forgery (SSRF)) |
| Affected | < 2026.5.18 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-2hfg-4fh4-qp7f |
OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger navigation to private-network targets via action-triggered redirects and subsequently read restricted page content using browser evaluation capabilities.
References:
| Field | Detail |
|---|---|
| CVSS | 4.8 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N |
| CWE | CWE-863 (Incorrect Authorization) |
| Affected | < 2026.4.25 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-p39j-x9h5-q66m |
OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusion to select bundled tool access outside intended provider policy restrictions when the affected feature is enabled.
References:
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-693 (Protection Mechanism Failure) |
| Affected | < 2026.5.6 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-68xw-r643-9p5w |
OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms.
References:
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-636 (Not Failing Securely ('Failing Open')) |
| Affected | < 2026.4.25 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-8mg9-j9cf-54cj |
OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access.
References:
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-184 (Incomplete List of Disallowed Inputs) |
| Affected | < 2026.5.26 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-cwpp-5962-q4f6 |
OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations.
References:
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-807 (Reliance on Untrusted Inputs in a Security Decision), CWE-863 (Incorrect Authorization) |
| Affected | < 2026.5.7 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-8j37-5w68-wj2g |
OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.
References:
| Field | Detail |
|---|---|
| CVSS | 2.3 (LOW) — CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| CWE | CWE-266 (Incorrect Privilege Assignment), CWE-345 (Insufficient Verification of Data Authenticity) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-9v8j-9c9g-w66c |
OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits.
References:
- VulnCheck Advisory: OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening
| Field | Detail |
|---|---|
| CVSS | 2.1 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| CWE | CWE-83 (Improper Neutralization of Script in Attributes in a Web Page) |
| Affected | < 2026.5.12 |
| Vendor/Product | OpenClaw / OpenClaw |
| Advisory | GHSA-w9hf-3pp7-pvxv |
OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.
References:
Of 51 GHSAs with CVE IDs, 51 are fully published and 0 remain RESERVED.
graph LR
A["1️⃣ GitHub Reserves<br/>CVE ID<br/><b>RESERVED</b>"] --> B["2️⃣ GHSA Goes Public<br/>with CVE ID Shown"]
B --> C["3️⃣ CNA Submits<br/>CVE Record via<br/>CVE Services<br/><b>PUBLISHED</b>"]
C --> D["4️⃣ cvelistV5 Bot<br/>Commits JSON File"]
style A fill:#fee,stroke:#c33,color:#333
style B fill:#fff3cd,stroke:#856404,color:#333
style C fill:#d4edda,stroke:#155724,color:#333
style D fill:#cce5ff,stroke:#004085,color:#333
| CVE ID | State | cvelistV5 | GHSA Published | CNA |
|---|---|---|---|---|
| CVE-2026-24763 | ✅ PUBLISHED | ✅ | 2026-02-02 | GitHub_M |
| CVE-2026-25157 | ✅ PUBLISHED | ✅ | 2026-02-02 | GitHub_M |
| CVE-2026-25253 | ✅ PUBLISHED | ✅ | 2026-02-02 | mitre |
| CVE-2026-26317 | ✅ PUBLISHED | ✅ | 2026-02-18 | GitHub_M |
| CVE-2026-26328 | ✅ PUBLISHED | ✅ | 2026-02-18 | GitHub_M |
| CVE-2026-28452 | ✅ PUBLISHED | ✅ | 2026-02-18 | VulnCheck |
| CVE-2026-28458 | ✅ PUBLISHED | ✅ | 2026-02-17 | VulnCheck |
| CVE-2026-28469 | ✅ PUBLISHED | ✅ | 2026-02-18 | VulnCheck |
| CVE-2026-28478 | ✅ PUBLISHED | ✅ | 2026-02-18 | VulnCheck |
| CVE-2026-28480 | ✅ PUBLISHED | ✅ | 2026-02-18 | VulnCheck |
| CVE-2026-29612 | ✅ PUBLISHED | ✅ | 2026-02-18 | VulnCheck |
| CVE-2026-35630 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53806 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53809 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53810 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53811 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53812 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53813 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53814 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53815 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53816 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53817 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53818 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53819 | ✅ PUBLISHED | ✅ | 2026-07-02 | VulnCheck |
| CVE-2026-53840 | ✅ PUBLISHED | ✅ | 2026-06-17 | VulnCheck |
| CVE-2026-53841 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53842 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53843 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53844 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53845 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53846 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53847 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53848 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53849 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53850 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53851 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53852 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53853 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53854 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53855 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53856 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53857 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53858 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53859 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53860 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53861 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53862 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53863 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53864 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53865 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| CVE-2026-53866 | ✅ PUBLISHED | ✅ | 2026-06-18 | VulnCheck |
| Insight | Detail |
|---|---|
| Dominant Weakness | 59% of categorized issues relate to Allowlist Bypass (38/64) |
| V5 Sync Rate | 51/51 CVE IDs (100%) have full cvelistV5 records |
| Advisory Velocity | 157 security advisories across 2026-02-02 → 2026-07-02 |
| Top Severity | 1 Critical + 90 High = 91 high-impact issues (58%) |
| Category | Count | Examples |
|---|---|---|
| OS Command Injection (CWE-78) | 12 | PATH injection, SSH command injection, Docker exec, keychain writes |
| Path Traversal (CWE-22) | 1 | MEDIA: paths, plugin install, browser downloads, Zip Slip, transcript paths |
| SSRF | 1 | Image tool fetch, Feishu extension, attachment/media URLs, IPv6 bypass |
| Auth Bypass / Missing Auth | 3 | WebSocket config.apply, webhook verification, browser relay, sandbox bridge |
| Allowlist Bypass | 38 | Telegram usernames, Matrix displayName, Slack DM, Twitch, voice-call |
| Injection (XSS/CSRF/Prompt) | 6 | XSS in Control UI, prompt injection via Slack/CWD/logs, CSRF |
| Denial of Service | 3 | Unbounded media fetch, webhook body buffering, archive expansion |
| GHSA | CVE | Severity | Title | Published |
|---|---|---|---|---|
| GHSA-7hxm-f538-3xp6 | CVE-2026-53811 | OpenClaw: Matrix allowFrom could bind to mutable display names | 2026-07-02 | |
| GHSA-3c6j-hq33-3jv4 | CVE-2026-53816 | OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance | 2026-07-02 | |
| GHSA-vxx3-6hc9-7cc3 | CVE-2026-53806 | OpenClaw: Combined POSIX shell options could confuse exec revalidation | 2026-07-02 | |
| GHSA-v8cx-933x-r976 | CVE-2026-53813 | OpenClaw: Fake package roots could influence memory-core artifact loading | 2026-07-02 | |
| GHSA-8wg3-5mcm-fjq8 | CVE-2026-53819 | OpenClaw: Workspace .env could override Homebrew executable selection for skill install flows | 2026-07-02 | |
| GHSA-mgq6-vr84-7m2j | CVE-2026-35630 | OpenClaw: QQBot native approval buttons did not enforce configured approver identity | 2026-07-02 | |
| GHSA-6fvr-66p3-3qj4 | CVE-2026-53814 | OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority | 2026-07-02 | |
| GHSA-chr9-m4q2-76hw | CVE-2026-53817 | OpenClaw: Control UI locality spoofing could mint a durable admin device token | 2026-07-02 | |
| GHSA-v6r2-jh58-xx6w | CVE-2026-53810 | OpenClaw's marketplace runtime extension metadata could point at unscanned payloads | 2026-07-02 | |
| GHSA-q7q8-3mgw-q67r | CVE-2026-53815 | OpenClaw: Message read actions could skip channel allowlist checks | 2026-07-02 | |
| GHSA-p73f-w79w-jqr5 | — | OpenClaw: Native command authorization could skip owner-command enforcement | 2026-07-02 | |
| GHSA-j472-gf56-x589 | — | OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks | 2026-07-02 | |
| GHSA-77q5-rr5v-x43q | — | OpenClaw: Trusted retry endpoint checks could match hostname prefixes | 2026-07-02 | |
| GHSA-w5ww-7chg-mxcq | — | OpenClaw: Telegram interactive callbacks could skip commands.allowFrom | 2026-07-02 | |
| GHSA-xr4f-mjxj-w6w5 | — | OpenClaw: Non-owner chat senders could issue device-pairing bootstrap codes | 2026-07-02 | |
| GHSA-w4v6-g3wm-w36c | — | OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy | 2026-07-02 | |
| GHSA-qjpc-qf9m-xwmr | — | OpenClaw: Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing | 2026-07-02 | |
| GHSA-c29c-2q9c-pc86 | — | OpenClaw: Slack allowFrom could bind to mutable display names | 2026-07-02 | |
| GHSA-jvm4-4j77-39p6 | — | OpenClaw: QQBot streaming command could mutate config without explicit allowFrom | 2026-07-02 | |
| GHSA-83w9-h5wv-j9xm | — | OpenClaw: Node pairing reconnection could confuse approval scope state | 2026-07-02 | |
| GHSA-hw9r-h9mr-4jff | — | OpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates | 2026-07-02 | |
| GHSA-mhq8-78pj-5j79 | — | OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion | 2026-07-02 | |
| GHSA-rggc-m335-3wvj | — | OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers | 2026-07-02 | |
| GHSA-2j8v-hwgc-x698 | — | OpenClaw: Shell wrapper argv could change between approval and execution | 2026-07-02 | |
| GHSA-xww8-gqvh-92x9 | — | OpenClaw: Exec approval display truncation could hide the command being approved | 2026-07-02 | |
| GHSA-rx78-29qr-5hq8 | CVE-2026-53865 | OpenClaw: Workspace-derived service PATH could influence trash command selection | 2026-06-18 | |
| GHSA-wc84-j36w-pw4x | CVE-2026-53858 | OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots | 2026-06-18 | |
| GHSA-cw4q-gqg5-g38h | CVE-2026-53849 | OpenClaw: Discord allowFrom could bind to mutable display names | 2026-06-18 | |
| GHSA-24vr-rprv-67rf | CVE-2026-53846 | OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install | 2026-06-18 | |
| GHSA-v2ww-5rh7-2h5v | CVE-2026-53853 | OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns | 2026-06-18 | |
| GHSA-8c59-hr4w-qg69 | CVE-2026-53857 | OpenClaw: Zalo allowFrom could bind to mutable display names | 2026-06-18 | |
| GHSA-5cj2-3jr2-5h77 | CVE-2026-53855 | OpenClaw: Shell positional parameters could weaken strict inline-eval checks | 2026-06-18 | |
| GHSA-fq9j-vw4w-fr6v | CVE-2026-53842 | OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution | 2026-06-18 | |
| GHSA-f397-5vjw-v2c2 | CVE-2026-53866 | OpenClaw: Shell inline-command parsing could miss an allowlist check | 2026-06-18 | |
| GHSA-q99w-vh6v-q3v7 | CVE-2026-53843 | OpenClaw: Pairing-scoped device session could restore revoked node token authority | 2026-06-18 | |
| GHSA-ccwh-wwpp-6wg5 | CVE-2026-53864 | OpenClaw: Host environment sanitizer missed two Node.js control variables | 2026-06-18 | |
| GHSA-rjxq-qqhf-8hwh | CVE-2026-53840 | OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin | 2026-06-17 | |
| GHSA-2w22-3f6x-3hf4 | — | Duplicate Advisory: Workspace-derived service PATH could influence trash command selection | 2026-06-16 | |
| GHSA-vr6h-vxqj-3pjx | — | Duplicate Advisory: Host environment sanitizer missed two Node.js control variables | 2026-06-16 | |
| GHSA-v383-2wgg-v483 | — | Duplicate Advisory: Shell inline-command parsing could miss an allowlist check | 2026-06-16 | |
| GHSA-3v3j-737j-7g74 | — | Duplicate Advisory: Linux and macOS exec allowlists skipped configured argument patterns | 2026-06-16 | |
| GHSA-4qgr-57jq-93vh | — | Duplicate Advisory: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots | 2026-06-16 | |
| GHSA-w7m7-3xcf-mp48 | — | Duplicate Advisory: Zalo allowFrom could bind to mutable display names | 2026-06-16 | |
| GHSA-27pq-2ph8-8x25 | — | Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks | 2026-06-16 | |
| GHSA-qp5j-jr73-m2pw | — | Duplicate Advisory: Workspace .env npm_execpath could influence bundled runtime dependency install | 2026-06-16 | |
| GHSA-p44v-rx83-vjp4 | — | Duplicate Advisory: Discord allowFrom could bind to mutable display names | 2026-06-16 | |
| GHSA-9fr2-p65v-gqxq | — | Duplicate Advisory: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution | 2026-06-16 | |
| GHSA-wrmq-9fc4-gwwj | — | Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority | 2026-06-16 | |
| GHSA-hx4v-668p-g2qr | — | Duplicate Advisory: OpenClaw: QQBot native approval buttons did not enforce configured approver identity | 2026-05-29 | |
| GHSA-xpr6-2hgm-4wwp | — | Duplicate Advisory: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution | 2026-05-11 | |
| GHSA-rq6g-px6m-c248 | CVE-2026-28469 | OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting | 2026-02-18 | |
| GHSA-3fqr-4cg8-h96q | CVE-2026-26317 | OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints | 2026-02-18 | |
| GHSA-q447-rj3r-2cgh | CVE-2026-28478 | OpenClaw affected by denial of service via unbounded webhook request body buffering | 2026-02-18 | |
| GHSA-mr32-vwc2-5j6h | CVE-2026-28458 | OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access | 2026-02-17 | |
| GHSA-q284-4pvr-m585 | CVE-2026-25157 | OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand | 2026-02-02 | |
| GHSA-g8p2-7wf7-98mq | CVE-2026-25253 | OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl | 2026-02-02 | |
| GHSA-mc68-q9jw-2h3v | CVE-2026-24763 | OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable | 2026-02-02 | |
| GHSA-r2c6-8jc8-g32w | — | Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl | 2026-02-02 |
| GHSA | CVE | Severity | Title | Published |
|---|---|---|---|---|
| GHSA-rj6p-xmxr-qj4h | CVE-2026-53818 | OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers | 2026-07-02 | |
| GHSA-p39j-x9h5-q66m | CVE-2026-53809 | OpenClaw: Embedded runner policy could be confused by provider aliases | 2026-07-02 | |
| GHSA-2hfg-4fh4-qp7f | CVE-2026-53812 | OpenClaw's browser act interactions could bypass private-network navigation checks | 2026-07-02 | |
| GHSA-4m3v-q747-pc6h | — | OpenClaw: Mattermost slash token revocation could lag until monitor refresh | 2026-07-02 | |
| GHSA-275c-xpvc-jgfw | — | OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload | 2026-07-02 | |
| GHSA-6c4r-g249-wv3c | — | OpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts | 2026-07-02 | |
| GHSA-77pv-3w4q-vrj5 | — | OpenClaw: QQBot pre-dispatch slash commands could skip allowFrom checks | 2026-07-02 | |
| GHSA-hcm3-8f6r-6xwg | — | OpenClaw: Browser debug/export routes could reuse already-open blocked tabs | 2026-07-02 | |
| GHSA-grc3-2j34-p6gm | — | OpenClaw: message.action forwarding could send Gateway credentials to model-supplied loopback URLs | 2026-07-02 | |
| GHSA-gp79-m99v-gjmh | — | OpenClaw: Mattermost handlers could fall open when channel type was missing | 2026-07-02 | |
| GHSA-cqwv-9qjx-vxw2 | — | OpenClaw: Skill Workshop apply flow could override pending approval | 2026-07-02 | |
| GHSA-wv26-j37q-2g7p | — | OpenClaw's Slack plugin approvals used the exec approver gate for plugin actions | 2026-07-02 | |
| GHSA-p2fh-f5fc-44hr | — | OpenClaw: memory-wiki ingest could read local files with operator.write scope | 2026-07-02 | |
| GHSA-qh2f-99mv-mrcf | — | OpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn | 2026-07-02 | |
| GHSA-9c3v-684m-579c | — | OpenClaw MCP SSE redirects could forward Authorization headers | 2026-07-01 | |
| GHSA-4hpg-mp64-x7xq | CVE-2026-53854 | OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state | 2026-06-18 | |
| GHSA-mpc8-jxjh-qpgh | CVE-2026-53850 | OpenClaw: Focus command could miss controlScope enforcement | 2026-06-18 | |
| GHSA-72fw-cqh5-f324 | CVE-2026-53844 | OpenClaw: memory-wiki shared search could miss session visibility checks | 2026-06-18 | |
| GHSA-rwp6-7w3q-75fq | CVE-2026-53856 | OpenClaw: Config recovery could restore openclaw.json with broad file permissions | 2026-06-18 | |
| GHSA-x629-46cc-7xgw | CVE-2026-53847 | OpenClaw: Active Memory write scope could mutate global config | 2026-06-18 | |
| GHSA-w9hf-3pp7-pvxv | CVE-2026-53841 | OpenClaw: Exported session HTML could keep unsafe markdown links | 2026-06-18 | |
| GHSA-fcvx-5cxc-v5p8 | CVE-2026-53851 | OpenClaw: Slack reaction events could ignore reaction notification settings | 2026-06-18 | |
| GHSA-gxg4-2rrr-jhc7 | CVE-2026-53859 | OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently | 2026-06-18 | |
| GHSA-c226-q6fx-6j6c | CVE-2026-53861 | OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags | 2026-06-18 | |
| GHSA-985f-72mj-8gf7 | CVE-2026-53863 | OpenClaw: Tool group policy callers could accept unvalidated group IDs | 2026-06-18 | |
| GHSA-8wmm-344f-mpjg | — | Duplicate Advisory: Tool group policy callers could accept unvalidated group IDs | 2026-06-16 | |
| GHSA-g796-jqmx-wf9q | — | Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags | 2026-06-16 | |
| GHSA-vqx6-6j84-2794 | — | Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently | 2026-06-16 | |
| GHSA-r2fx-hp6p-pgrm | — | Duplicate Advisory: Internal/webchat command auth could inherit ownerAllowFrom wildcard state | 2026-06-16 | |
| GHSA-vqj9-vhg4-27mg | — | Duplicate Advisory: Config recovery could restore openclaw.json with broad file permissions | 2026-06-16 | |
| GHSA-c8w7-9w9h-x69q | — | Duplicate Advisory: Slack reaction events could ignore reaction notification settings | 2026-06-16 | |
| GHSA-gw2c-6hcg-5g52 | — | Duplicate Advisory: Focus command could miss controlScope enforcement | 2026-06-16 | |
| GHSA-58wc-8wrv-xp9j | — | Duplicate Advisory: Active Memory write scope could mutate global config | 2026-06-16 | |
| GHSA-x7cf-6gp3-q5f8 | — | Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin | 2026-06-16 | |
| GHSA-6jm4-83g2-35gv | — | Duplicate Advisory: memory-wiki shared search could miss session visibility checks | 2026-06-16 | |
| GHSA-v8j2-5f9p-fmh4 | — | Duplicate Advisory: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload | 2026-05-11 | |
| GHSA-5jgm-f9wr-9qm7 | — | Duplicate Advisory: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts | 2026-05-11 | |
| GHSA-9j32-3m66-mc4m | — | Duplicate Advisory: OpenClaw: Hook mapping templates could bypass hook session-key opt-in | 2026-05-11 | |
| GHSA-mj5r-hh7j-4gxf | CVE-2026-28480 | OpenClaw Telegram allowlist authorization accepted mutable usernames | 2026-02-18 | |
| GHSA-h89v-j3x9-8wqj | CVE-2026-28452 | OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) | 2026-02-18 | |
| GHSA-w2cg-vxx6-5xjg | CVE-2026-29612 | OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks | 2026-02-18 | |
| GHSA-g34w-4xqq-h79m | CVE-2026-26328 | OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities | 2026-02-18 |
| GHSA | CVE | Severity | Title | Published |
|---|---|---|---|---|
| GHSA-3wqp-prf6-2m72 | — | OpenClaw: Feishu dynamic-agent bindings could miss configWrites enforcement | 2026-07-02 | |
| GHSA-8mg9-j9cf-54cj | CVE-2026-53852 | OpenClaw: Empty-scope device re-pairing could confuse caller scope containment | 2026-06-18 | |
| GHSA-8j37-5w68-wj2g | CVE-2026-53860 | OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers | 2026-06-18 | |
| GHSA-68xw-r643-9p5w | CVE-2026-53845 | OpenClaw: Skill-command dispatch could skip before-tool-call hooks | 2026-06-18 | |
| GHSA-9v8j-9c9g-w66c | CVE-2026-53862 | OpenClaw: Bootstrap token replay could widen pending pairing scopes | 2026-06-18 | |
| GHSA-cwpp-5962-q4f6 | CVE-2026-53848 | OpenClaw: Exec allowlist could miss side effects from transparent command wrappers | 2026-06-18 | |
| GHSA-h9h6-pwqv-j9hv | — | Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes | 2026-06-16 | |
| GHSA-8hj2-w4c9-fjfq | — | Duplicate Advisory: BlueBubbles sender policy could match mutable conversation identifiers | 2026-06-16 | |
| GHSA-hc4w-hm59-9w88 | — | Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment | 2026-06-16 | |
| GHSA-r7vv-6763-m739 | — | Duplicate Advisory: Skill-command dispatch could skip before-tool-call hooks | 2026-06-16 | |
| GHSA-wrr6-p5r6-474m | — | Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers | 2026-06-16 | |
| GHSA-6xcg-6q43-rj2v | — | Duplicate Advisory: Exported session HTML could keep unsafe markdown links | 2026-06-16 | |
| GHSA-chm2-m3w2-wcxm | — | OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch | 2026-02-17 |
These advisories are listed on the repo security page but not yet indexed in the GitHub Advisory Database. See the full advisory list for details.
Show 44 repo-only advisories
| GHSA | Severity | Title | Published |
|---|---|---|---|
| GHSA-2q7j-2vhx-56g8 | Feishu tools could ignore per-account disablement | 2026-06-30 | |
| GHSA-2x93-h3hg-2xfp | Browser snapshot routes could miss post-navigation SSRF checks | 2026-06-30 | |
| GHSA-34mr-7r3m-gfg7 | Exec allowlist glob matching could allow traversal bypasses | 2026-06-30 | |
| GHSA-3fp5-v549-9v66 | flock wrapper could bypass durable exec approval binding | 2026-06-30 | |
| GHSA-3pmr-x9g8-m55r | Discord guild actions could skip cross-provider requester authorization | 2026-06-30 | |
| GHSA-3x84-qq85-fj65 | Browser CDP discovery could accept blocked WebSocket URLs | 2026-06-30 | |
| GHSA-4pqj-3c56-5fqq | Workspace dotenv files could override provider credentials | 2026-06-30 | |
| GHSA-52xj-c9p8-78cv | MCP loopback could expose owner-only tools to non-owner runs | 2026-06-30 | |
| GHSA-575v-8hfq-m3mc | Sandbox bind mounts could bypass parent-directory denylist checks | 2026-06-30 | |
| GHSA-724r-v4wf-mqc5 | Hooks allowedAgentIds could be bypassed with blank agent IDs | 2026-06-30 | |
| GHSA-7jx6-764p-fgg9 | QQBot exec approvals could allow non-allowlisted senders | 2026-06-30 | |
| GHSA-7vrr-rp4x-4g76 | Plugin install commands could allow non-owner persistence | 2026-06-30 | |
| GHSA-8f46-3xx3-8c9m | Node exec approvals could use different gateway and node environments | 2026-06-30 | |
| GHSA-8v95-qqcm-qp9h | device.pair.approve could bypass role-management checks | 2026-06-30 | |
| GHSA-9969-8g9h-rxwm | Host exec environment filtering could allow Git ext transport | 2026-06-30 | |
| GHSA-cf2p-f286-mphf | Identity-bearing HTTP callers could reach admin-scoped tools | 2026-06-30 | |
| GHSA-f6p7-6326-vf7v | Discord moderation actions could miss trusted requester checks | 2026-06-30 | |
| GHSA-fh38-965w-f6c3 | WhatsApp group IDs could satisfy elevated sender allowlists | 2026-06-30 | |
| GHSA-hjr6-g723-hmfm | Host exec environment filtering could miss interpreter startup variables | 2026-06-30 | |
| GHSA-hx85-fgcw-9vrc | Device-pair approval could expose node system.run early | 2026-06-30 | |
| GHSA-jhfx-v2j8-x3m6 | OpenAI-compatible HTTP model overrides could miss admin authorization | 2026-06-30 | |
| GHSA-m38g-vpwj-mpg9 | OpenShell mirror sync could follow remote symlink parents | 2026-06-30 | |
| GHSA-mgvr-6gvw-3rgr | Sandbox exec-server HTTP requests could reach internal networks | 2026-06-30 | |
| GHSA-mm9g-83wh-mhwj | Isolated cron jobs could regain denied exec tools | 2026-06-30 | |
| GHSA-p5xh-frrh-cmgj | MS Teams message actions could miss requester authorization | 2026-06-30 | |
| GHSA-rh6r-vvfc-86jq | Setup-mode discovery could load untrusted workspace plugins | 2026-06-30 | |
| GHSA-v7hx-r36p-f68m | Message mutations could skip requester authorization | 2026-06-30 | |
| GHSA-vr7j-7684-7gm5 | HTTP Canvas responses could forge trusted A2UI actions | 2026-06-30 | |
| GHSA-w8wf-3qvj-6xqf | Feishu permission tools could ignore per-account disablement | 2026-06-30 | |
| GHSA-wp73-f3gg-w4vr | ClickClack agent-mode dispatch could ignore toolsAllow | 2026-06-30 | |
| GHSA-wxh3-g47h-q3mc | Host exec environment filtering could miss rustup startup variables | 2026-06-30 | |
| GHSA-wxm8-ghhq-q688 | MS Teams safeFetch could race DNS rebinding checks | 2026-06-30 | |
| GHSA-x863-pqjw-hmgf | Browser act route could miss current-tab URL checks | 2026-06-30 | |
| GHSA-4xwj-mcc7-x7x5 | Remote media URLs could slow-read exhaust tool workers | 2026-06-30 | |
| GHSA-5p6w-wmh3-frfr | WebSocket auth attempts could avoid non-browser rate limits | 2026-06-30 | |
| GHSA-7w4v-g4m6-j88v | [AgentGG] MS Teams allowFrom could bind to mutable display names | 2026-06-30 | |
| GHSA-fh8v-vgcv-pwh4 | ClickClack allowFrom could allow non-allowlisted commands | 2026-06-30 | |
| GHSA-fwgr-fpv9-vf5x | QQBot media upload could reach untrusted remote URLs | 2026-06-30 | |
| GHSA-j4cx-jvq7-79vm | Trajectory export could skip broad credential redaction | 2026-06-30 | |
| GHSA-mhm4-93fw-4qr2 | Skill command dispatch could skip effective tool policy | 2026-06-30 | |
| GHSA-prwc-c6w5-mmgr | Bot Framework serviceUrl validation could leak bot tokens | 2026-06-30 | |
| GHSA-v4f6-x5g5-2g4g | Native web search could ignore OpenClaw tool policy | 2026-06-30 | |
| GHSA-v54h-q2vx-vgg4 | MS Teams outbound requests could leak Bot Framework tokens | 2026-06-30 | |
| GHSA-wgq8-x5wm-g4rw | Plugin install wrappers could skip install policy | 2026-06-30 |
The OpenClaw project has been renamed multiple times, causing inconsistencies across CVE records:
| CVE | vendor | product | packageURL | Description Names |
|---|---|---|---|---|
| CVE-2026-24763 | clawdbot |
clawdbot |
— | OpenClaw (formerly Clawdbot) |
| CVE-2026-25253 | OpenClaw |
OpenClaw |
pkg:npm/clawdbot |
OpenClaw / clawdbot / Moltbot |
| CVE-2026-28478 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53819 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53814 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53817 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53843 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53816 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53849 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53857 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-28469 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-35630 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-25157 | openclaw |
openclaw |
— | OpenClaw |
| CVE-2026-53810 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53806 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53811 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53855 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53853 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53866 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53864 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-28458 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53813 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53865 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-26317 | openclaw |
clawdbot |
— | OpenClaw (formerly Clawdbot) |
| CVE-2026-53815 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53842 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53846 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53858 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-28480 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53818 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-29612 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53850 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-28452 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-26328 | openclaw |
clawdbot |
— | OpenClaw (formerly Clawdbot) |
| CVE-2026-53851 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53840 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53844 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53854 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53863 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53859 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53856 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53847 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53861 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53812 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53809 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53845 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53852 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53848 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53860 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53862 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| CVE-2026-53841 | OpenClaw |
OpenClaw |
pkg:npm/openclaw |
OpenClaw |
| Source | URL |
|---|---|
| CVE List v5 (full scan, all CNAs) | CVEProject/cvelistV5 — every record affecting OpenClaw, any assigner |
| GitHub Advisory DB | github.com/advisories |
| Repo Security Tab | openclaw/openclaw/security |
| CVE Services API | https://cveawg.mitre.org/api/cve-id/{CVE-ID} |
Auto-generated by update_readme.py · Updated every 6h via GitHub Actions
Data: ghsa-advisories.json · cves.json · cve-pipeline-status.json
Maintained by Jerry Gamblin · OpenClawCVEs