Total
196 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32014 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 8.0 HIGH |
| OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature. An attacker with a paired node identity on the trusted network can spoof reconnect metadata to bypass platform-based node command policies and gain access to restricted commands. | |||||
| CVE-2026-32056 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 7.5 HIGH |
| OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands are executed. | |||||
| CVE-2026-32003 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 6.6 MEDIUM |
| OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and PS4 environment variables. An attacker who can invoke system.run with request-scoped environment variables can execute arbitrary shell commands outside the intended allowlisted command body through bash xtrace expansion. | |||||
| CVE-2026-32002 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 5.3 MEDIUM |
| OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing attackers to read out-of-workspace files. Attackers can load restricted mounted images and exfiltrate them through vision model provider requests to bypass sandbox confidentiality controls. | |||||
| CVE-2026-32001 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 5.4 MEDIUM |
| OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject unauthorized node.event calls, triggering agent.request and voice.transcript flows without proper device pairing. | |||||
| CVE-2026-32009 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 5.7 MEDIUM |
| OpenClaw versions prior to 2026.2.24 contain a policy bypass vulnerability in the safeBins allowlist evaluation that trusts static default directories including writable package-manager paths like /opt/homebrew/bin and /usr/local/bin. An attacker with write access to these trusted directories can place a malicious binary with the same name as an allowed executable to achieve arbitrary command execution within the OpenClaw runtime context. | |||||
| CVE-2026-32013 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 8.8 HIGH |
| OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks. | |||||
| CVE-2026-32011 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 7.5 HIGH |
| OpenClaw versions prior to 2026.3.2 contain a denial of service vulnerability in webhook handlers for BlueBubbles and Google Chat that parse request bodies before performing authentication and signature validation. Unauthenticated attackers can exploit this by sending slow or oversized request bodies to exhaust parser resources and degrade service availability. | |||||
| CVE-2026-32010 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 6.3 MEDIUM |
| OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safe-bin configuration when sort is manually added to tools.exec.safeBins. Attackers can invoke sort with the --compress-program flag to execute arbitrary external programs without operator approval in allowlist mode with ask=on-miss enabled. | |||||
| CVE-2026-32020 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 3.3 LOW |
| OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads. Attackers can place symlinks under the Control UI root directory to bypass directory confinement checks and read arbitrary files outside the intended root. | |||||
| CVE-2026-32024 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 5.5 MEDIUM |
| OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to disclose local files accessible to the OpenClaw process. | |||||
| CVE-2026-32008 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the assertBrowserNavigationAllowed() function that allows authenticated users with browser-tool access to navigate to file:// URLs. Attackers can exploit this by accessing local files readable by the OpenClaw process user through browser snapshot and extraction actions to exfiltrate sensitive data. | |||||
| CVE-2026-32041 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 6.9 MEDIUM |
| OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evaluate-capable actions without valid credentials. | |||||
| CVE-2026-32040 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 4.6 MEDIUM |
| OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft session entries with specially crafted mimeType attributes that break out of the img src data-URL context to achieve cross-site scripting when exported HTML is opened. | |||||
| CVE-2026-32039 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 5.9 MEDIUM |
| OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyped sender keys by forcing collisions with mutable identity values such as senderName or senderUsername to bypass sender-authorization policies and gain unauthorized access to privileged tools. | |||||
| CVE-2026-32038 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 9.8 CRITICAL |
| OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container:<id> values to reach services in target container namespaces and bypass network hardening controls. | |||||
| CVE-2026-32037 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 6.0 MEDIUM |
| OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-allowlisted targets, bypassing SSRF boundary controls. | |||||
| CVE-2026-32026 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox media handling that allows absolute paths under the host temporary directory outside the active sandbox root. Attackers can exploit this by providing malicious media references to read and exfiltrate arbitrary files from the host temporary directory through attachment delivery mechanisms. | |||||
| CVE-2026-32036 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 6.5 MEDIUM |
| OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded traversal patterns to access protected plugin channel routes when handlers normalize the incoming path, circumventing security controls. | |||||
| CVE-2026-32025 | 1 Openclaw | 1 Openclaw | 2026-03-23 | N/A | 7.5 HIGH |
| OpenClaw versions prior to 2026.2.25 contain an authentication hardening gap in browser-origin WebSocket clients that allows attackers to bypass origin checks and auth throttling on loopback deployments. An attacker can trick a user into opening a malicious webpage and perform password brute-force attacks against the gateway to establish an authenticated operator session and invoke control-plane methods. | |||||