Total
196 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-31997 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 6.0 MEDIUM |
| OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling arbitrary command execution. | |||||
| CVE-2026-31999 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 6.3 MEDIUM |
| OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. Remote attackers can exploit improper shell execution fallback mechanisms to achieve command execution integrity loss by controlling the current working directory during wrapper resolution. | |||||
| CVE-2026-31994 | 2 Microsoft, Openclaw | 2 Windows, Openclaw | 2026-03-19 | N/A | 7.1 HIGH |
| OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only values or CR/LF sequences that execute unintended code in the scheduled task context. | |||||
| CVE-2026-31995 | 2 Microsoft, Openclaw | 2 Windows, Openclaw | 2026-03-19 | N/A | 5.3 MEDIUM |
| OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When spawn failures trigger shell fallback with shell: true, attackers can exploit cmd.exe command interpretation to execute malicious commands by controlling workflow arguments. | |||||
| CVE-2026-22178 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns or metacharacters in mention metadata to trigger catastrophic backtracking, block message processing, or remove unintended content before model processing. | |||||
| CVE-2026-22177 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 6.1 MEDIUM |
| OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context. | |||||
| CVE-2026-22175 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 7.1 HIGH |
| OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. Attackers can exploit this by invoking arbitrary payloads under the same multiplexer wrapper to satisfy stored allowlist rules, bypassing intended execution restrictions. | |||||
| CVE-2026-22171 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 8.2 HIGH |
| OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who can control Feishu media key values returned to the client can use traversal segments to escape os.tmpdir() and write arbitrary files within the OpenClaw process permissions. | |||||
| CVE-2026-22168 | 1 Openclaw | 1 Openclaw | 2026-03-19 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign command. Attackers can smuggle malicious arguments through cmd.exe /c to achieve local command execution on trusted Windows nodes with mismatched audit logs. | |||||
| CVE-2026-27522 | 1 Openclaw | 1 Openclaw | 2026-03-18 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user. | |||||
| CVE-2026-27523 | 1 Openclaw | 1 Openclaw | 2026-03-18 | N/A | 6.1 MEDIUM |
| OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind source paths that appear within allowed roots but resolve outside sandbox boundaries once missing leaf components are created, weakening bind-source isolation enforcement. | |||||
| CVE-2026-27545 | 1 Openclaw | 1 Openclaw | 2026-03-18 | N/A | 6.1 MEDIUM |
| OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker can modify mutable parent symlink path components between approval and execution time to redirect command execution to a different location while preserving the visible working directory string. | |||||
| CVE-2026-28477 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 7.1 HIGH |
| OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts. | |||||
| CVE-2026-28478 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 7.5 HIGH |
| OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation. | |||||
| CVE-2026-28479 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 7.5 HIGH |
| OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be misinterpreted as another and enabling unsafe sandbox state reuse. | |||||
| CVE-2026-28480 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 6.5 MEDIUM |
| OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders. | |||||
| CVE-2026-28481 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 6.5 MEDIUM |
| OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403 responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, enabling token theft. | |||||
| CVE-2026-30741 | 1 Openclaw | 1 Openclaw | 2026-03-17 | N/A | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack. | |||||
| CVE-2026-4040 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 1.7 LOW | 3.3 LOW |
| A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised. | |||||
| CVE-2026-4039 | 1 Openclaw | 1 Openclaw | 2026-03-16 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component. | |||||