Skip to content

jgamblin/OpenClawCVEs

Repository files navigation

🛡️ OpenClaw CVE & Security Advisory Tracker

Total Advisories All-CNA CVEs Project CVEs Assigned CVEs Published Reserved
Critical High Medium Low Awaiting CVE

An automated tracker that continuously monitors OpenClaw security advisories across the GitHub Advisory Database, repo-level security advisories, and a full scan of the CVE V5 (cvelistV5) registry covering every CVE affecting OpenClaw regardless of which CNA assigned it. On each run it pulls the latest data, reconciles GHSA → CVE publication state, breaks the totals down by assigning CNA, and regenerates this dashboard so you always have an up-to-date picture of the project's vulnerability landscape.

Last updated: 2026-07-06 15:41 UTC · MIT License · Full Advisory List · Security Policy · Data: cvelistV5 + Advisory DB · Updates every 6h


All CVEs by CNA · Published CVEs · Pipeline · Advisories · Categories · Insights · Identity


🏗️ Project Identity

Field Value
Current Name OpenClaw
Previous Names Moltbot (second name), Clawdbot (original name)
Repository openclaw/openclaw
npm Package openclaw (formerly clawdbot)
Author Peter Steinberger (steipete)
Search terms for CVE discovery

To find all CVEs, search for: openclaw, clawdbot, moltbot, clawhub, pkg:npm/clawdbot, pkg:npm/openclaw


🌐 All OpenClaw CVEs by Assigning CNA (CVE List V5)

The sections lower down track CVEs that have an OpenClaw GitHub Security Advisory — i.e. CVEs the project issued itself. That is only part of the picture. A direct scan of the authoritative CVE List V5 registry finds 543 CVEs that name OpenClaw as an affected product, the large majority assigned by third-party researchers rather than the project. Earlier versions of this tracker reported only the ~51 project-issued (GHSA-linked) CVEs and were blind to this external stream.

Count
Total OpenClaw CVEs (all CNAs) 543
Project-issued (GitHub as CNA) 34
Third-party-issued (VulnCheck, ZDI, MITRE, …) 509

By Assigning CNA

CNA CVEs Share
VulnCheck 500 92.1%
GitHub_M 34 6.3%
VulDB 4 0.7%
zdi 3 0.6%
mitre 2 0.4%

2026 Monthly Publish Trend

The steady third-party (VulnCheck-led) disclosure cadence across 2026:

Month CVEs
2026-02 35 ████
2026-03 198 ████████████████████
2026-04 174 ██████████████████
2026-05 75 ████████
2026-06 61 ██████

Methodology: generated by reconcile_cnas.py, which scans every record in CVEProject/cvelistV5 and selects those whose containers.cna.affected[].vendor or .product is openclaw (case-insensitive), or that reference github.com/openclaw/openclaw. REJECTED records are excluded. VulnCheck is by far the dominant CNA — its researchers drive the bulk of OpenClaw disclosures. The GHSA-based sections below cover the project's own advisories and are unchanged. Full reconciled set: openclaw-cves-all.json · aggregates: cna-breakdown.json.


🚀 CVEs Published in cvelistV5 (51)

These CVEs have full records in the CVEProject/cvelistV5 repository:

CVE ID Severity CVSS Title CWE Published
CVE-2026-24763 High 8.8 OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable CWE-78 2026-02-02
CVE-2026-25253 High 8.8 OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl CWE-669 2026-02-01
CVE-2026-28478 High 8.7 OpenClaw affected by denial of service via unbounded webhook request body buffering CWE-770 2026-03-05
CVE-2026-53819 High 8.7 OpenClaw: Workspace .env could override Homebrew executable selection for skill install flows CWE-426 2026-06-11
CVE-2026-53814 High 8.7 OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority CWE-266 2026-06-11
CVE-2026-53817 High 8.7 OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing CWE-290 2026-06-11
CVE-2026-53843 High 8.7 OpenClaw: Pairing-scoped device session could restore revoked node token authority CWE-613 2026-06-16
CVE-2026-53816 High 8.6 OpenClaw < 2026.5.18 - Exec Lifecycle Event Forgery via Paired Node CWE-862 2026-06-11
CVE-2026-53849 High 8.6 OpenClaw: Discord allowFrom could bind to mutable display names CWE-290 2026-06-16
CVE-2026-53857 High 8.6 OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy CWE-290 2026-06-16
CVE-2026-28469 High 8.2 OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting CWE-639 2026-03-05
CVE-2026-35630 High 8 OpenClaw: QQBot native approval buttons did not enforce configured approver identity CWE-862 2026-05-29
CVE-2026-25157 High 7.8 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand CWE-78 2026-02-04
CVE-2026-53810 High 7.7 OpenClaw's marketplace runtime extension metadata could point at unscanned payloads CWE-829 2026-06-11
CVE-2026-53806 High 7.7 OpenClaw < 2026.5.12 - Shell Option Parsing Bypass in Exec Revalidation CWE-367 2026-06-11
CVE-2026-53811 High 7.7 OpenClaw: Matrix allowFrom could bind to mutable display names CWE-290 2026-06-11
CVE-2026-53855 High 7.6 OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks CWE-184, CWE-863 2026-06-16
CVE-2026-53853 High 7.6 OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns CWE-693, CWE-863 2026-06-16
CVE-2026-53866 High 7.6 OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing CWE-862 2026-06-16
CVE-2026-53864 High 7.6 OpenClaw: Host environment sanitizer missed two Node.js control variables CWE-184 2026-06-16
CVE-2026-28458 High 7.4 OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access CWE-306 2026-03-05
CVE-2026-53813 High 7.3 OpenClaw: Fake package roots could influence memory-core artifact loading CWE-427 2026-06-11
CVE-2026-53865 High 7.2 OpenClaw: Workspace-derived service PATH could influence trash command selection CWE-426 2026-06-16
CVE-2026-26317 High 7.1 OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints CWE-352 2026-02-19
CVE-2026-53815 High 7.1 OpenClaw < 2026.5.19 - Channel Allowlist Bypass in Message Read Actions CWE-862 2026-06-11
CVE-2026-53842 High 7 OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution CWE-426 2026-06-16
CVE-2026-53846 High 7 OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install CWE-426 2026-06-16
CVE-2026-53858 High 7 OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots CWE-426 2026-06-16
CVE-2026-28480 Medium 6.9 OpenClaw Telegram allowlist authorization accepted mutable usernames CWE-290 2026-03-05
CVE-2026-53818 Medium 6.9 OpenClaw < 2026.4.24 - Owner-Only Tool Policy Bypass via MCP Loopback CWE-862 2026-06-11
CVE-2026-29612 Medium 6.8 OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding CWE-770 2026-03-05
CVE-2026-53850 Medium 6.8 OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command CWE-862 2026-06-16
CVE-2026-28452 Medium 6.7 OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) CWE-770 2026-03-05
CVE-2026-26328 Medium 6.5 OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities CWE-284, CWE-863 2026-02-19
CVE-2026-53851 Medium 6.3 OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass CWE-862 2026-06-16
CVE-2026-53840 Medium 6 OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin CWE-522 2026-06-16
CVE-2026-53844 Medium 6 OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search CWE-862 2026-06-16
CVE-2026-53854 Medium 6 OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state CWE-863 2026-06-16
CVE-2026-53863 Medium 6 OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy CWE-639 2026-06-16
CVE-2026-53859 Medium 6 OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency CWE-1023, CWE-918 2026-06-16
CVE-2026-53856 Medium 5.7 OpenClaw: Config recovery could restore openclaw.json with broad file permissions CWE-732 2026-06-16
CVE-2026-53847 Medium 5.3 OpenClaw < 2026.5.6 - Privilege Escalation via Active Memory Write Scope CWE-266 2026-06-16
CVE-2026-53861 Medium 5.3 OpenClaw < 2026.5.6 - Allowlist Bypass via Combined POSIX Inline Flags on macOS CWE-184 2026-06-16
CVE-2026-53812 Medium 4.9 OpenClaw's browser act interactions could bypass private-network navigation checks CWE-918 2026-06-11
CVE-2026-53809 Medium 4.8 OpenClaw < 2026.4.25 - Provider Alias Confusion in Embedded Runner Policy CWE-863 2026-06-11
CVE-2026-53845 Low 2.3 OpenClaw: Skill-command dispatch could skip before-tool-call hooks CWE-693 2026-06-16
CVE-2026-53852 Low 2.3 OpenClaw < 2026.4.25 - Scope Bypass via Empty-Scope Device Re-pairing CWE-636 2026-06-16
CVE-2026-53848 Low 2.3 OpenClaw < 2026.5.26 - Exec Allowlist Bypass via Transparent Command Wrappers CWE-184 2026-06-16
CVE-2026-53860 Low 2.3 OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers CWE-807, CWE-863 2026-06-16
CVE-2026-53862 Low 2.3 OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening CWE-266, CWE-345 2026-06-16
CVE-2026-53841 Low 2.1 OpenClaw: Exported session HTML could keep unsafe markdown links CWE-83 2026-06-16
📖 Detailed CVE Analysis (click to expand)

CVE-2026-24763 — OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable

Field Detail
CVSS 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
Affected < 2026.1.29
Vendor/Product clawdbot / clawdbot
Advisory GHSA-mc68-q9jw-2h3v

OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.

Naming note: Uses old name clawdbot/clawdbot as vendor/product. References:


CVE-2026-25253 — OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl

Field Detail
CVSS 8.8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE CWE-669 (CWE-669 Incorrect Resource Transfer Between Spheres)
Affected < 2026.1.29
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-g8p2-7wf7-98mq

OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.

Naming note: Uses all three names in description. packageURL still references pkg:npm/clawdbot. References:


CVE-2026-28478 — OpenClaw affected by denial of service via unbounded webhook request body buffering

Field Detail
CVSS 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE CWE-770 (Allocation of Resources Without Limits or Throttling)
Affected < 2026.2.13
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-q447-rj3r-2cgh

OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.

References:


CVE-2026-53819 — OpenClaw: Workspace .env could override Homebrew executable selection for skill install flows

Field Detail
CVSS 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-426 (Untrusted Search Path)
Affected < 2026.5.27
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-8wg3-5mcm-fjq8

OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system.

References:


CVE-2026-53814 — OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority

Field Detail
CVSS 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CWE CWE-266 (Incorrect Privilege Assignment)
Affected < 2026.5.20
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-6fvr-66p3-3qj4

OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications.

References:


CVE-2026-53817 — OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing

Field Detail
CVSS 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-290 (Authentication Bypass by Spoofing)
Affected < 2026.5.22
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-chr9-m4q2-76hw

OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.

References:


CVE-2026-53843 — OpenClaw: Pairing-scoped device session could restore revoked node token authority

Field Detail
CVSS 8.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-613 (Insufficient Session Expiration)
Affected < 2026.5.26
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-q99w-vh6v-q3v7

OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.

References:


CVE-2026-53816 — OpenClaw < 2026.5.18 - Exec Lifecycle Event Forgery via Paired Node

Field Detail
CVSS 8.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.5.18
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-3c6j-hq33-3jv4

OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway, steering target sessions into exec-event paths that expose capabilities the reduced node surface should not provide.

References:


CVE-2026-53849 — OpenClaw: Discord allowFrom could bind to mutable display names

Field Detail
CVSS 8.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-290 (Authentication Bypass by Spoofing)
Affected < 2026.5.7
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-cw4q-gqg5-g38h

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.

References:


CVE-2026-53857 — OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy

Field Detail
CVSS 8.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-290 (Authentication Bypass by Spoofing)
Affected < 2026.5.3
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-8c59-hr4w-qg69

OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.

References:


CVE-2026-28469 — OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting

Field Detail
CVSS 8.2 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-639 (Authorization Bypass Through User-Controlled Key)
Affected < 2026.2.14
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-rq6g-px6m-c248

OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.

References:


CVE-2026-35630 — OpenClaw: QQBot native approval buttons did not enforce configured approver identity

Field Detail
CVSS 8 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE CWE-862 (Missing Authorization)
Affected < 2026.5.18
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-mgq6-vr84-7m2j

OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization.

References:


CVE-2026-25157 — OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand

Field Detail
CVSS 7.8 (HIGH) — CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE CWE-78 (CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
Affected < 2026.1.29
Vendor/Product openclaw / openclaw
Advisory GHSA-q284-4pvr-m585

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.


CVE-2026-53810 — OpenClaw's marketplace runtime extension metadata could point at unscanned payloads

Field Detail
CVSS 7.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-829 (Inclusion of Functionality from Untrusted Control Sphere)
Affected < 2026.5.18
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-v6r2-jh58-xx6w

OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points, bypassing security scanning.

References:


CVE-2026-53806 — OpenClaw < 2026.5.12 - Shell Option Parsing Bypass in Exec Revalidation

Field Detail
CVSS 7.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-vxx3-6hc9-7cc3

OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by using combined shell options to execute inline shell content without intended allowlist validation, potentially enabling unauthorized command execution when the affected feature is enabled.

References:


CVE-2026-53811 — OpenClaw: Matrix allowFrom could bind to mutable display names

Field Detail
CVSS 7.7 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-290 (Authentication Bypass by Spoofing)
Affected < 2026.5.7
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-7hxm-f538-3xp6

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another Matrix identity, potentially gaining unauthorized permissions depending on operator configuration.

References:


CVE-2026-53855 — OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks

Field Detail
CVSS 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-184 (Incomplete List of Disallowed Inputs), CWE-863 (Incorrect Authorization)
Affected < 2026.4.2
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-5cj2-3jr2-5h77

OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content.

References:


CVE-2026-53853 — OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns

Field Detail
CVSS 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CWE CWE-693 (Protection Mechanism Failure), CWE-863 (Incorrect Authorization)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-v2ww-5rh7-2h5v

OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution.

References:


CVE-2026-53866 — OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing

Field Detail
CVSS 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-f397-5vjw-v2c2

OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.

References:


CVE-2026-53864 — OpenClaw: Host environment sanitizer missed two Node.js control variables

Field Detail
CVSS 7.6 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-184 (Incomplete List of Disallowed Inputs)
Affected < 2026.5.26
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-ccwh-wwpp-6wg5

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.

References:


CVE-2026-28458 — OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access

Field Detail
CVSS 7.4 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-306 (Missing Authentication for Critical Function)
Affected < 2026.2.1
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-mr32-vwc2-5j6h

OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.

References:


CVE-2026-53813 — OpenClaw: Fake package roots could influence memory-core artifact loading

Field Detail
CVSS 7.3 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE CWE-427 (Uncontrolled Search Path Element)
Affected < 2026.4.25
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-v8cx-933x-r976

OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected workspaces can load memory-core artifacts from unintended local locations, potentially executing malicious code or accessing sensitive data.

References:


CVE-2026-53865 — OpenClaw: Workspace-derived service PATH could influence trash command selection

Field Detail
CVSS 7.2 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-426 (Untrusted Search Path)
Affected < 2026.5.2
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-rx78-29qr-5hq8

OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance operations by manipulating workspace-derived environment paths.

References:


CVE-2026-26317 — OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints

Field Detail
CVSS 7.1 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
CWE CWE-352 (CWE-352: Cross-Site Request Forgery (CSRF))
Affected <= 2026.1.24-3
Vendor/Product openclaw / clawdbot
Advisory GHSA-3fqr-4cg8-h96q

OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or Sec-Fetch-Site: cross-site). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.

Naming note: Uses old name openclaw/clawdbot as vendor/product. References:


CVE-2026-53815 — OpenClaw < 2026.5.19 - Channel Allowlist Bypass in Message Read Actions

Field Detail
CVSS 7.1 (HIGH) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.5.19
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-q7q8-3mgw-q67r

OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing sensitive channel messages.

References:


CVE-2026-53842 — OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution

Field Detail
CVSS 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-426 (Untrusted Search Path)
Affected < 2026.5.2
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-fq9j-vw4w-fr6v

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.

References:


CVE-2026-53846 — OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install

Field Detail
CVSS 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-426 (Untrusted Search Path)
Affected < 2026.4.29
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-24vr-rprv-67rf

OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.

References:


CVE-2026-53858 — OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots

Field Detail
CVSS 7 (HIGH) — CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-426 (Untrusted Search Path)
Affected < 2026.5.2
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-wc84-j36w-pw4x

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.

References:


CVE-2026-28480 — OpenClaw Telegram allowlist authorization accepted mutable usernames

Field Detail
CVSS 6.9 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-290 (Authentication Bypass by Spoofing)
Affected < 2026.2.14
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-mj5r-hh7j-4gxf

OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.

References:


CVE-2026-53818 — OpenClaw < 2026.4.24 - Owner-Only Tool Policy Bypass via MCP Loopback

Field Detail
CVSS 6.9 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.4.24
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-rj6p-xmxr-qj4h

OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable.

References:


CVE-2026-29612 — OpenClaw < 2026.2.14 - Denial of Service via Large Base64 Media File Decoding

Field Detail
CVSS 6.8 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE CWE-770 (Allocation of Resources Without Limits or Throttling)
Affected < 2026.2.14
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-w2cg-vxx6-5xjg

OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.

References:


CVE-2026-53850 — OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command

Field Detail
CVSS 6.8 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.4.25
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-mpc8-jxjh-qpgh

OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels.

References:


CVE-2026-28452 — OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)

Field Detail
CVSS 6.7 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE CWE-770 (Allocation of Resources Without Limits or Throttling)
Affected < 2026.2.14
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-h89v-j3x9-8wqj

OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.

References:


CVE-2026-26328 — OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities

Field Detail
CVSS 6.5 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE CWE-284 (CWE-284: Improper Access Control), CWE-863 (CWE-863: Incorrect Authorization)
Affected <= 2026.1.24-3
Vendor/Product openclaw / clawdbot
Advisory GHSA-g34w-4xqq-h79m

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage groupPolicy=allowlist, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.

Naming note: Uses old name openclaw/clawdbot as vendor/product. References:


CVE-2026-53851 — OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass

Field Detail
CVSS 6.3 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-fcvx-5cxc-v5p8

OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.

References:


CVE-2026-53840 — OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-522 (Insufficiently Protected Credentials)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-rjxq-qqhf-8hwh

OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.

References:


CVE-2026-53844 — OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-862 (Missing Authorization)
Affected < 2026.4.29
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-72fw-cqh5-f324

OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.

References:


CVE-2026-53854 — OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-863 (Incorrect Authorization)
Affected < 2026.4.25
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-4hpg-mp64-x7xq

OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.

References:


CVE-2026-53863 — OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-639 (Authorization Bypass Through User-Controlled Key)
Affected < 2026.4.25
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-985f-72mj-8gf7

OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.

References:


CVE-2026-53859 — OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency

Field Detail
CVSS 6 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-1023 (Incomplete Comparison with Missing Factors), CWE-918 (Server-Side Request Forgery (SSRF))
Affected < 2026.5.26
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-gxg4-2rrr-jhc7

OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.

References:


CVE-2026-53856 — OpenClaw: Config recovery could restore openclaw.json with broad file permissions

Field Detail
CVSS 5.7 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE CWE-732 (Incorrect Permission Assignment for Critical Resource)
Affected < 2026.4.24
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-rwp6-7w3q-75fq

OpenClaw 2026.4.23 before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the restored config file.

References:


CVE-2026-53847 — OpenClaw < 2026.5.6 - Privilege Escalation via Active Memory Write Scope

Field Detail
CVSS 5.3 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
CWE CWE-266 (Incorrect Privilege Assignment)
Affected < 2026.5.6
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-x629-46cc-7xgw

OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can exploit insufficient scope validation to apply unauthorized configuration changes beyond the intended write scope.

References:


CVE-2026-53861 — OpenClaw < 2026.5.6 - Allowlist Bypass via Combined POSIX Inline Flags on macOS

Field Detail
CVSS 5.3 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE CWE-184 (Incomplete List of Disallowed Inputs)
Affected < 2026.5.6
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-c226-q6fx-6j6c

OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.

References:


CVE-2026-53812 — OpenClaw's browser act interactions could bypass private-network navigation checks

Field Detail
CVSS 4.9 (MEDIUM) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
CWE CWE-918 (Server-Side Request Forgery (SSRF))
Affected < 2026.5.18
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-2hfg-4fh4-qp7f

OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger navigation to private-network targets via action-triggered redirects and subsequently read restricted page content using browser evaluation capabilities.

References:


CVE-2026-53809 — OpenClaw < 2026.4.25 - Provider Alias Confusion in Embedded Runner Policy

Field Detail
CVSS 4.8 (MEDIUM) — CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
CWE CWE-863 (Incorrect Authorization)
Affected < 2026.4.25
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-p39j-x9h5-q66m

OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusion to select bundled tool access outside intended provider policy restrictions when the affected feature is enabled.

References:


CVE-2026-53845 — OpenClaw: Skill-command dispatch could skip before-tool-call hooks

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-693 (Protection Mechanism Failure)
Affected < 2026.5.6
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-68xw-r643-9p5w

OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms.

References:


CVE-2026-53852 — OpenClaw < 2026.4.25 - Scope Bypass via Empty-Scope Device Re-pairing

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-636 (Not Failing Securely ('Failing Open'))
Affected < 2026.4.25
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-8mg9-j9cf-54cj

OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access.

References:


CVE-2026-53848 — OpenClaw < 2026.5.26 - Exec Allowlist Bypass via Transparent Command Wrappers

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-184 (Incomplete List of Disallowed Inputs)
Affected < 2026.5.26
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-cwpp-5962-q4f6

OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations.

References:


CVE-2026-53860 — OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-807 (Reliance on Untrusted Inputs in a Security Decision), CWE-863 (Incorrect Authorization)
Affected < 2026.5.7
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-8j37-5w68-wj2g

OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.

References:


CVE-2026-53862 — OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening

Field Detail
CVSS 2.3 (LOW) — CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CWE CWE-266 (Incorrect Privilege Assignment), CWE-345 (Insufficient Verification of Data Authenticity)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-9v8j-9c9g-w66c

OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits.

References:


CVE-2026-53841 — OpenClaw: Exported session HTML could keep unsafe markdown links

Field Detail
CVSS 2.1 (LOW) — CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CWE CWE-83 (Improper Neutralization of Script in Attributes in a Web Page)
Affected < 2026.5.12
Vendor/Product OpenClaw / OpenClaw
Advisory GHSA-w9hf-3pp7-pvxv

OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.

References:



⏳ CVE Publication Pipeline

Of 51 GHSAs with CVE IDs, 51 are fully published and 0 remain RESERVED.

graph LR
    A["1️⃣ GitHub Reserves<br/>CVE ID<br/><b>RESERVED</b>"] --> B["2️⃣ GHSA Goes Public<br/>with CVE ID Shown"]
    B --> C["3️⃣ CNA Submits<br/>CVE Record via<br/>CVE Services<br/><b>PUBLISHED</b>"]
    C --> D["4️⃣ cvelistV5 Bot<br/>Commits JSON File"]

    style A fill:#fee,stroke:#c33,color:#333
    style B fill:#fff3cd,stroke:#856404,color:#333
    style C fill:#d4edda,stroke:#155724,color:#333
    style D fill:#cce5ff,stroke:#004085,color:#333
Loading
CVE ID State cvelistV5 GHSA Published CNA
CVE-2026-24763 PUBLISHED 2026-02-02 GitHub_M
CVE-2026-25157 PUBLISHED 2026-02-02 GitHub_M
CVE-2026-25253 PUBLISHED 2026-02-02 mitre
CVE-2026-26317 PUBLISHED 2026-02-18 GitHub_M
CVE-2026-26328 PUBLISHED 2026-02-18 GitHub_M
CVE-2026-28452 PUBLISHED 2026-02-18 VulnCheck
CVE-2026-28458 PUBLISHED 2026-02-17 VulnCheck
CVE-2026-28469 PUBLISHED 2026-02-18 VulnCheck
CVE-2026-28478 PUBLISHED 2026-02-18 VulnCheck
CVE-2026-28480 PUBLISHED 2026-02-18 VulnCheck
CVE-2026-29612 PUBLISHED 2026-02-18 VulnCheck
CVE-2026-35630 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53806 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53809 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53810 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53811 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53812 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53813 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53814 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53815 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53816 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53817 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53818 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53819 PUBLISHED 2026-07-02 VulnCheck
CVE-2026-53840 PUBLISHED 2026-06-17 VulnCheck
CVE-2026-53841 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53842 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53843 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53844 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53845 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53846 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53847 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53848 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53849 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53850 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53851 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53852 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53853 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53854 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53855 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53856 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53857 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53858 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53859 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53860 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53861 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53862 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53863 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53864 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53865 PUBLISHED 2026-06-18 VulnCheck
CVE-2026-53866 PUBLISHED 2026-06-18 VulnCheck

🔑 Key Insights

Insight Detail
Dominant Weakness 59% of categorized issues relate to Allowlist Bypass (38/64)
V5 Sync Rate 51/51 CVE IDs (100%) have full cvelistV5 records
Advisory Velocity 157 security advisories across 2026-02-02 → 2026-07-02
Top Severity 1 Critical + 90 High = 91 high-impact issues (58%)

Vulnerability Categories

Category Count Examples
OS Command Injection (CWE-78) 12 PATH injection, SSH command injection, Docker exec, keychain writes
Path Traversal (CWE-22) 1 MEDIA: paths, plugin install, browser downloads, Zip Slip, transcript paths
SSRF 1 Image tool fetch, Feishu extension, attachment/media URLs, IPv6 bypass
Auth Bypass / Missing Auth 3 WebSocket config.apply, webhook verification, browser relay, sandbox bridge
Allowlist Bypass 38 Telegram usernames, Matrix displayName, Slack DM, Twitch, voice-call
Injection (XSS/CSRF/Prompt) 6 XSS in Control UI, prompt injection via Slack/CWD/logs, CSRF
Denial of Service 3 Unbounded media fetch, webhook body buffering, archive expansion

📋 All Security Advisories (157)

Critical & High Severity

GHSA CVE Severity Title Published
GHSA-7hxm-f538-3xp6 CVE-2026-53811 High OpenClaw: Matrix allowFrom could bind to mutable display names 2026-07-02
GHSA-3c6j-hq33-3jv4 CVE-2026-53816 High OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance 2026-07-02
GHSA-vxx3-6hc9-7cc3 CVE-2026-53806 High OpenClaw: Combined POSIX shell options could confuse exec revalidation 2026-07-02
GHSA-v8cx-933x-r976 CVE-2026-53813 High OpenClaw: Fake package roots could influence memory-core artifact loading 2026-07-02
GHSA-8wg3-5mcm-fjq8 CVE-2026-53819 High OpenClaw: Workspace .env could override Homebrew executable selection for skill install flows 2026-07-02
GHSA-mgq6-vr84-7m2j CVE-2026-35630 High OpenClaw: QQBot native approval buttons did not enforce configured approver identity 2026-07-02
GHSA-6fvr-66p3-3qj4 CVE-2026-53814 High OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority 2026-07-02
GHSA-chr9-m4q2-76hw CVE-2026-53817 High OpenClaw: Control UI locality spoofing could mint a durable admin device token 2026-07-02
GHSA-v6r2-jh58-xx6w CVE-2026-53810 High OpenClaw's marketplace runtime extension metadata could point at unscanned payloads 2026-07-02
GHSA-q7q8-3mgw-q67r CVE-2026-53815 High OpenClaw: Message read actions could skip channel allowlist checks 2026-07-02
GHSA-p73f-w79w-jqr5 High OpenClaw: Native command authorization could skip owner-command enforcement 2026-07-02
GHSA-j472-gf56-x589 High OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks 2026-07-02
GHSA-77q5-rr5v-x43q High OpenClaw: Trusted retry endpoint checks could match hostname prefixes 2026-07-02
GHSA-w5ww-7chg-mxcq High OpenClaw: Telegram interactive callbacks could skip commands.allowFrom 2026-07-02
GHSA-xr4f-mjxj-w6w5 High OpenClaw: Non-owner chat senders could issue device-pairing bootstrap codes 2026-07-02
GHSA-w4v6-g3wm-w36c Critical OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy 2026-07-02
GHSA-qjpc-qf9m-xwmr High OpenClaw: Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing 2026-07-02
GHSA-c29c-2q9c-pc86 High OpenClaw: Slack allowFrom could bind to mutable display names 2026-07-02
GHSA-jvm4-4j77-39p6 High OpenClaw: QQBot streaming command could mutate config without explicit allowFrom 2026-07-02
GHSA-83w9-h5wv-j9xm High OpenClaw: Node pairing reconnection could confuse approval scope state 2026-07-02
GHSA-hw9r-h9mr-4jff High OpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates 2026-07-02
GHSA-mhq8-78pj-5j79 High OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion 2026-07-02
GHSA-rggc-m335-3wvj High OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers 2026-07-02
GHSA-2j8v-hwgc-x698 High OpenClaw: Shell wrapper argv could change between approval and execution 2026-07-02
GHSA-xww8-gqvh-92x9 High OpenClaw: Exec approval display truncation could hide the command being approved 2026-07-02
GHSA-rx78-29qr-5hq8 CVE-2026-53865 High OpenClaw: Workspace-derived service PATH could influence trash command selection 2026-06-18
GHSA-wc84-j36w-pw4x CVE-2026-53858 High OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots 2026-06-18
GHSA-cw4q-gqg5-g38h CVE-2026-53849 High OpenClaw: Discord allowFrom could bind to mutable display names 2026-06-18
GHSA-24vr-rprv-67rf CVE-2026-53846 High OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install 2026-06-18
GHSA-v2ww-5rh7-2h5v CVE-2026-53853 High OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns 2026-06-18
GHSA-8c59-hr4w-qg69 CVE-2026-53857 High OpenClaw: Zalo allowFrom could bind to mutable display names 2026-06-18
GHSA-5cj2-3jr2-5h77 CVE-2026-53855 High OpenClaw: Shell positional parameters could weaken strict inline-eval checks 2026-06-18
GHSA-fq9j-vw4w-fr6v CVE-2026-53842 High OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution 2026-06-18
GHSA-f397-5vjw-v2c2 CVE-2026-53866 High OpenClaw: Shell inline-command parsing could miss an allowlist check 2026-06-18
GHSA-q99w-vh6v-q3v7 CVE-2026-53843 High OpenClaw: Pairing-scoped device session could restore revoked node token authority 2026-06-18
GHSA-ccwh-wwpp-6wg5 CVE-2026-53864 High OpenClaw: Host environment sanitizer missed two Node.js control variables 2026-06-18
GHSA-rjxq-qqhf-8hwh CVE-2026-53840 High OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin 2026-06-17
GHSA-2w22-3f6x-3hf4 High Duplicate Advisory: Workspace-derived service PATH could influence trash command selection 2026-06-16
GHSA-vr6h-vxqj-3pjx High Duplicate Advisory: Host environment sanitizer missed two Node.js control variables 2026-06-16
GHSA-v383-2wgg-v483 High Duplicate Advisory: Shell inline-command parsing could miss an allowlist check 2026-06-16
GHSA-3v3j-737j-7g74 High Duplicate Advisory: Linux and macOS exec allowlists skipped configured argument patterns 2026-06-16
GHSA-4qgr-57jq-93vh High Duplicate Advisory: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots 2026-06-16
GHSA-w7m7-3xcf-mp48 High Duplicate Advisory: Zalo allowFrom could bind to mutable display names 2026-06-16
GHSA-27pq-2ph8-8x25 High Duplicate Advisory: Shell positional parameters could weaken strict inline-eval checks 2026-06-16
GHSA-qp5j-jr73-m2pw High Duplicate Advisory: Workspace .env npm_execpath could influence bundled runtime dependency install 2026-06-16
GHSA-p44v-rx83-vjp4 High Duplicate Advisory: Discord allowFrom could bind to mutable display names 2026-06-16
GHSA-9fr2-p65v-gqxq High Duplicate Advisory: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution 2026-06-16
GHSA-wrmq-9fc4-gwwj High Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority 2026-06-16
GHSA-hx4v-668p-g2qr High Duplicate Advisory: OpenClaw: QQBot native approval buttons did not enforce configured approver identity 2026-05-29
GHSA-xpr6-2hgm-4wwp High Duplicate Advisory: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution 2026-05-11
GHSA-rq6g-px6m-c248 CVE-2026-28469 High OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting 2026-02-18
GHSA-3fqr-4cg8-h96q CVE-2026-26317 High OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints 2026-02-18
GHSA-q447-rj3r-2cgh CVE-2026-28478 High OpenClaw affected by denial of service via unbounded webhook request body buffering 2026-02-18
GHSA-mr32-vwc2-5j6h CVE-2026-28458 High OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access 2026-02-17
GHSA-q284-4pvr-m585 CVE-2026-25157 High OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand 2026-02-02
GHSA-g8p2-7wf7-98mq CVE-2026-25253 High OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl 2026-02-02
GHSA-mc68-q9jw-2h3v CVE-2026-24763 High OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable 2026-02-02
GHSA-r2c6-8jc8-g32w High Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl 2026-02-02

Medium Severity

GHSA CVE Severity Title Published
GHSA-rj6p-xmxr-qj4h CVE-2026-53818 Medium OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers 2026-07-02
GHSA-p39j-x9h5-q66m CVE-2026-53809 Medium OpenClaw: Embedded runner policy could be confused by provider aliases 2026-07-02
GHSA-2hfg-4fh4-qp7f CVE-2026-53812 Medium OpenClaw's browser act interactions could bypass private-network navigation checks 2026-07-02
GHSA-4m3v-q747-pc6h Medium OpenClaw: Mattermost slash token revocation could lag until monitor refresh 2026-07-02
GHSA-275c-xpvc-jgfw Medium OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload 2026-07-02
GHSA-6c4r-g249-wv3c Medium OpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts 2026-07-02
GHSA-77pv-3w4q-vrj5 Medium OpenClaw: QQBot pre-dispatch slash commands could skip allowFrom checks 2026-07-02
GHSA-hcm3-8f6r-6xwg Medium OpenClaw: Browser debug/export routes could reuse already-open blocked tabs 2026-07-02
GHSA-grc3-2j34-p6gm Medium OpenClaw: message.action forwarding could send Gateway credentials to model-supplied loopback URLs 2026-07-02
GHSA-gp79-m99v-gjmh Medium OpenClaw: Mattermost handlers could fall open when channel type was missing 2026-07-02
GHSA-cqwv-9qjx-vxw2 Medium OpenClaw: Skill Workshop apply flow could override pending approval 2026-07-02
GHSA-wv26-j37q-2g7p Medium OpenClaw's Slack plugin approvals used the exec approver gate for plugin actions 2026-07-02
GHSA-p2fh-f5fc-44hr Medium OpenClaw: memory-wiki ingest could read local files with operator.write scope 2026-07-02
GHSA-qh2f-99mv-mrcf Medium OpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn 2026-07-02
GHSA-9c3v-684m-579c Medium OpenClaw MCP SSE redirects could forward Authorization headers 2026-07-01
GHSA-4hpg-mp64-x7xq CVE-2026-53854 Medium OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state 2026-06-18
GHSA-mpc8-jxjh-qpgh CVE-2026-53850 Medium OpenClaw: Focus command could miss controlScope enforcement 2026-06-18
GHSA-72fw-cqh5-f324 CVE-2026-53844 Medium OpenClaw: memory-wiki shared search could miss session visibility checks 2026-06-18
GHSA-rwp6-7w3q-75fq CVE-2026-53856 Medium OpenClaw: Config recovery could restore openclaw.json with broad file permissions 2026-06-18
GHSA-x629-46cc-7xgw CVE-2026-53847 Medium OpenClaw: Active Memory write scope could mutate global config 2026-06-18
GHSA-w9hf-3pp7-pvxv CVE-2026-53841 Medium OpenClaw: Exported session HTML could keep unsafe markdown links 2026-06-18
GHSA-fcvx-5cxc-v5p8 CVE-2026-53851 Medium OpenClaw: Slack reaction events could ignore reaction notification settings 2026-06-18
GHSA-gxg4-2rrr-jhc7 CVE-2026-53859 Medium OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently 2026-06-18
GHSA-c226-q6fx-6j6c CVE-2026-53861 Medium OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags 2026-06-18
GHSA-985f-72mj-8gf7 CVE-2026-53863 Medium OpenClaw: Tool group policy callers could accept unvalidated group IDs 2026-06-18
GHSA-8wmm-344f-mpjg Medium Duplicate Advisory: Tool group policy callers could accept unvalidated group IDs 2026-06-16
GHSA-g796-jqmx-wf9q Medium Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags 2026-06-16
GHSA-vqx6-6j84-2794 Medium Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently 2026-06-16
GHSA-r2fx-hp6p-pgrm Medium Duplicate Advisory: Internal/webchat command auth could inherit ownerAllowFrom wildcard state 2026-06-16
GHSA-vqj9-vhg4-27mg Medium Duplicate Advisory: Config recovery could restore openclaw.json with broad file permissions 2026-06-16
GHSA-c8w7-9w9h-x69q Medium Duplicate Advisory: Slack reaction events could ignore reaction notification settings 2026-06-16
GHSA-gw2c-6hcg-5g52 Medium Duplicate Advisory: Focus command could miss controlScope enforcement 2026-06-16
GHSA-58wc-8wrv-xp9j Medium Duplicate Advisory: Active Memory write scope could mutate global config 2026-06-16
GHSA-x7cf-6gp3-q5f8 Medium Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin 2026-06-16
GHSA-6jm4-83g2-35gv Medium Duplicate Advisory: memory-wiki shared search could miss session visibility checks 2026-06-16
GHSA-v8j2-5f9p-fmh4 Medium Duplicate Advisory: OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload 2026-05-11
GHSA-5jgm-f9wr-9qm7 Medium Duplicate Advisory: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts 2026-05-11
GHSA-9j32-3m66-mc4m Medium Duplicate Advisory: OpenClaw: Hook mapping templates could bypass hook session-key opt-in 2026-05-11
GHSA-mj5r-hh7j-4gxf CVE-2026-28480 Medium OpenClaw Telegram allowlist authorization accepted mutable usernames 2026-02-18
GHSA-h89v-j3x9-8wqj CVE-2026-28452 Medium OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR) 2026-02-18
GHSA-w2cg-vxx6-5xjg CVE-2026-29612 Medium OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks 2026-02-18
GHSA-g34w-4xqq-h79m CVE-2026-26328 Medium OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities 2026-02-18

Low Severity

GHSA CVE Severity Title Published
GHSA-3wqp-prf6-2m72 Low OpenClaw: Feishu dynamic-agent bindings could miss configWrites enforcement 2026-07-02
GHSA-8mg9-j9cf-54cj CVE-2026-53852 Low OpenClaw: Empty-scope device re-pairing could confuse caller scope containment 2026-06-18
GHSA-8j37-5w68-wj2g CVE-2026-53860 Low OpenClaw: BlueBubbles sender policy could match mutable conversation identifiers 2026-06-18
GHSA-68xw-r643-9p5w CVE-2026-53845 Low OpenClaw: Skill-command dispatch could skip before-tool-call hooks 2026-06-18
GHSA-9v8j-9c9g-w66c CVE-2026-53862 Low OpenClaw: Bootstrap token replay could widen pending pairing scopes 2026-06-18
GHSA-cwpp-5962-q4f6 CVE-2026-53848 Low OpenClaw: Exec allowlist could miss side effects from transparent command wrappers 2026-06-18
GHSA-h9h6-pwqv-j9hv Low Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes 2026-06-16
GHSA-8hj2-w4c9-fjfq Low Duplicate Advisory: BlueBubbles sender policy could match mutable conversation identifiers 2026-06-16
GHSA-hc4w-hm59-9w88 Low Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment 2026-06-16
GHSA-r7vv-6763-m739 Low Duplicate Advisory: Skill-command dispatch could skip before-tool-call hooks 2026-06-16
GHSA-wrr6-p5r6-474m Low Duplicate Advisory: Exec allowlist could miss side effects from transparent command wrappers 2026-06-16
GHSA-6xcg-6q43-rj2v Low Duplicate Advisory: Exported session HTML could keep unsafe markdown links 2026-06-16
GHSA-chm2-m3w2-wcxm Low OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch 2026-02-17

Repo-Only Advisories (~44 more)

These advisories are listed on the repo security page but not yet indexed in the GitHub Advisory Database. See the full advisory list for details.

Show 44 repo-only advisories
GHSA Severity Title Published
GHSA-2q7j-2vhx-56g8 High Feishu tools could ignore per-account disablement 2026-06-30
GHSA-2x93-h3hg-2xfp High Browser snapshot routes could miss post-navigation SSRF checks 2026-06-30
GHSA-34mr-7r3m-gfg7 High Exec allowlist glob matching could allow traversal bypasses 2026-06-30
GHSA-3fp5-v549-9v66 High flock wrapper could bypass durable exec approval binding 2026-06-30
GHSA-3pmr-x9g8-m55r High Discord guild actions could skip cross-provider requester authorization 2026-06-30
GHSA-3x84-qq85-fj65 High Browser CDP discovery could accept blocked WebSocket URLs 2026-06-30
GHSA-4pqj-3c56-5fqq High Workspace dotenv files could override provider credentials 2026-06-30
GHSA-52xj-c9p8-78cv High MCP loopback could expose owner-only tools to non-owner runs 2026-06-30
GHSA-575v-8hfq-m3mc High Sandbox bind mounts could bypass parent-directory denylist checks 2026-06-30
GHSA-724r-v4wf-mqc5 High Hooks allowedAgentIds could be bypassed with blank agent IDs 2026-06-30
GHSA-7jx6-764p-fgg9 High QQBot exec approvals could allow non-allowlisted senders 2026-06-30
GHSA-7vrr-rp4x-4g76 High Plugin install commands could allow non-owner persistence 2026-06-30
GHSA-8f46-3xx3-8c9m High Node exec approvals could use different gateway and node environments 2026-06-30
GHSA-8v95-qqcm-qp9h High device.pair.approve could bypass role-management checks 2026-06-30
GHSA-9969-8g9h-rxwm High Host exec environment filtering could allow Git ext transport 2026-06-30
GHSA-cf2p-f286-mphf High Identity-bearing HTTP callers could reach admin-scoped tools 2026-06-30
GHSA-f6p7-6326-vf7v High Discord moderation actions could miss trusted requester checks 2026-06-30
GHSA-fh38-965w-f6c3 High WhatsApp group IDs could satisfy elevated sender allowlists 2026-06-30
GHSA-hjr6-g723-hmfm High Host exec environment filtering could miss interpreter startup variables 2026-06-30
GHSA-hx85-fgcw-9vrc High Device-pair approval could expose node system.run early 2026-06-30
GHSA-jhfx-v2j8-x3m6 High OpenAI-compatible HTTP model overrides could miss admin authorization 2026-06-30
GHSA-m38g-vpwj-mpg9 High OpenShell mirror sync could follow remote symlink parents 2026-06-30
GHSA-mgvr-6gvw-3rgr High Sandbox exec-server HTTP requests could reach internal networks 2026-06-30
GHSA-mm9g-83wh-mhwj High Isolated cron jobs could regain denied exec tools 2026-06-30
GHSA-p5xh-frrh-cmgj High MS Teams message actions could miss requester authorization 2026-06-30
GHSA-rh6r-vvfc-86jq High Setup-mode discovery could load untrusted workspace plugins 2026-06-30
GHSA-v7hx-r36p-f68m High Message mutations could skip requester authorization 2026-06-30
GHSA-vr7j-7684-7gm5 High HTTP Canvas responses could forge trusted A2UI actions 2026-06-30
GHSA-w8wf-3qvj-6xqf High Feishu permission tools could ignore per-account disablement 2026-06-30
GHSA-wp73-f3gg-w4vr High ClickClack agent-mode dispatch could ignore toolsAllow 2026-06-30
GHSA-wxh3-g47h-q3mc High Host exec environment filtering could miss rustup startup variables 2026-06-30
GHSA-wxm8-ghhq-q688 High MS Teams safeFetch could race DNS rebinding checks 2026-06-30
GHSA-x863-pqjw-hmgf High Browser act route could miss current-tab URL checks 2026-06-30
GHSA-4xwj-mcc7-x7x5 Medium Remote media URLs could slow-read exhaust tool workers 2026-06-30
GHSA-5p6w-wmh3-frfr Medium WebSocket auth attempts could avoid non-browser rate limits 2026-06-30
GHSA-7w4v-g4m6-j88v Medium [AgentGG] MS Teams allowFrom could bind to mutable display names 2026-06-30
GHSA-fh8v-vgcv-pwh4 Medium ClickClack allowFrom could allow non-allowlisted commands 2026-06-30
GHSA-fwgr-fpv9-vf5x Medium QQBot media upload could reach untrusted remote URLs 2026-06-30
GHSA-j4cx-jvq7-79vm Medium Trajectory export could skip broad credential redaction 2026-06-30
GHSA-mhm4-93fw-4qr2 Medium Skill command dispatch could skip effective tool policy 2026-06-30
GHSA-prwc-c6w5-mmgr Medium Bot Framework serviceUrl validation could leak bot tokens 2026-06-30
GHSA-v4f6-x5g5-2g4g Medium Native web search could ignore OpenClaw tool policy 2026-06-30
GHSA-v54h-q2vx-vgg4 Medium MS Teams outbound requests could leak Bot Framework tokens 2026-06-30
GHSA-wgq8-x5wm-g4rw Medium Plugin install wrappers could skip install policy 2026-06-30

Naming Inconsistencies

The OpenClaw project has been renamed multiple times, causing inconsistencies across CVE records:

CVE vendor product packageURL Description Names
CVE-2026-24763 clawdbot clawdbot OpenClaw (formerly Clawdbot)
CVE-2026-25253 OpenClaw OpenClaw pkg:npm/clawdbot OpenClaw / clawdbot / Moltbot
CVE-2026-28478 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53819 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53814 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53817 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53843 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53816 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53849 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53857 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-28469 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-35630 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-25157 openclaw openclaw OpenClaw
CVE-2026-53810 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53806 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53811 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53855 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53853 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53866 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53864 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-28458 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53813 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53865 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-26317 openclaw clawdbot OpenClaw (formerly Clawdbot)
CVE-2026-53815 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53842 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53846 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53858 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-28480 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53818 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-29612 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53850 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-28452 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-26328 openclaw clawdbot OpenClaw (formerly Clawdbot)
CVE-2026-53851 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53840 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53844 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53854 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53863 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53859 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53856 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53847 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53861 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53812 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53809 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53845 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53852 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53848 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53860 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53862 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw
CVE-2026-53841 OpenClaw OpenClaw pkg:npm/openclaw OpenClaw

Data Sources

Source URL
CVE List v5 (full scan, all CNAs) CVEProject/cvelistV5 — every record affecting OpenClaw, any assigner
GitHub Advisory DB github.com/advisories
Repo Security Tab openclaw/openclaw/security
CVE Services API https://cveawg.mitre.org/api/cve-id/{CVE-ID}

Auto-generated by update_readme.py · Updated every 6h via GitHub Actions
Data: ghsa-advisories.json · cves.json · cve-pipeline-status.json

Maintained by Jerry Gamblin · OpenClawCVEs

About

Tracking OpenClaw CVEs

Resources

License

Security policy

Stars

164 stars

Watchers

5 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors