Filtered by vendor Openclaw
Subscribe
Total
196 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32007 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 6.8 MEDIUM |
| OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental apply_patch tool that allows attackers with sandbox access to modify files outside the workspace directory by exploiting inconsistent enforcement of workspace-only checks on mounted paths. Attackers can use apply_patch operations on writable mounts outside the workspace root to access and modify arbitrary files on the system. | |||||
| CVE-2026-32006 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 3.1 LOW |
| OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities without explicit groupAllowFrom membership to bypass group sender authorization checks. | |||||
| CVE-2026-22172 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 9.9 CRITICAL |
| OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated scopes without server-side binding. Attackers can exploit this logic flaw to present unauthorized scopes such as operator.admin and perform admin-only gateway operations. | |||||
| CVE-2026-32045 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 5.9 MEDIUM |
| OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials. | |||||
| CVE-2026-32053 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state transitions, potentially causing incorrect call handling and state corruption. | |||||
| CVE-2026-32054 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp directory, enabling arbitrary file overwrite on the affected system. | |||||
| CVE-2026-32058 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 2.6 LOW |
| OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing execution-integrity controls in approval-enabled workflows. | |||||
| CVE-2026-32064 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 7.7 HIGH |
| OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without credentials. | |||||
| CVE-2026-32065 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 4.8 MEDIUM |
| OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to execute a different binary than what the approver displayed, allowing unexpected command execution under the OpenClaw runtime user when they can influence command argv and reuse an approval context. | |||||
| CVE-2026-32067 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 3.7 LOW |
| OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically accepted in another account in multi-account deployments without explicit approval, bypassing authorization boundaries. | |||||
| CVE-2026-32897 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 3.7 LOW |
| OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to system prompts sent to third-party model providers can derive the gateway authentication token from the hash outputs, compromising gateway authentication security. | |||||
| CVE-2026-32898 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 5.4 MEDIUM |
| OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to reach auto-approve paths. | |||||
| CVE-2026-32899 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 4.3 MEDIUM |
| OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from restricted senders. | |||||
| CVE-2026-32048 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 7.5 HIGH |
| OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions. | |||||
| CVE-2026-32046 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 5.3 MEDIUM |
| OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protections in the Chromium browser container to achieve code execution on the host system. | |||||
| CVE-2026-32043 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass command execution restrictions and execute arbitrary commands on node hosts. | |||||
| CVE-2026-32913 | 1 Openclaw | 1 Openclaw | 2026-03-24 | N/A | 9.3 CRITICAL |
| OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept sensitive headers like X-Api-Key and Private-Token intended for the original destination. | |||||
| CVE-2026-32895 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 5.4 MEDIUM |
| OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted senders through message_changed, message_deleted, and thread_broadcast events. | |||||
| CVE-2026-32896 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 4.8 MEDIUM |
| OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin. | |||||
| CVE-2026-32004 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers can bypass plugin route authentication checks by submitting deeply encoded slash variants such as multi-encoded %2f to access protected /api/channels endpoints. | |||||