{
"version": "0.0.3",
"updated": "2026-03-15T06:18:51Z",
"description": "Community-driven security advisory feed for ClawSec. Automatically updated with OpenClaw-related CVEs from NVD and community-reported security incidents.",
"advisories": [
{
"id": "CVE-2026-32302",
"severity": "high",
"type": "unknown_cwe_346",
"nvd_category_id": "CWE-346",
"title": "OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections co...",
"description": "OpenClaw is a personal AI assistant. Prior to 2026.3.11, browser-originated WebSocket connections could bypass origin validation when gateway.auth.mode was set to trusted-proxy and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session. This vulnerability is fixed in 2026.3.11.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-13T19:54:41.650",
"references": [
"https://github.com/openclaw/openclaw/commit/ebed3bbde1a72a1aaa9b87b63b91e7c04a50036b",
"https://github.com/openclaw/openclaw/releases/tag/v2026.3.11",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5wcw-8jjv-m286"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32302",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-4040",
"severity": "low",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.ex...",
"description": "A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-12T12:15:59.990",
"references": [
"https://github.com/openclaw/openclaw/",
"https://github.com/openclaw/openclaw/commit/bafdbb6f112409a65decd3d4e7350fbd637c7754",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.19-beta.1"
],
"cvss_score": 3.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4040",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.3); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-4039",
"severity": "medium",
"type": "unknown_cwe_74",
"nvd_category_id": "CWE-74",
"title": "A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function appl...",
"description": "A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-12T12:15:59.740",
"references": [
"https://github.com/openclaw/openclaw/",
"https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1"
],
"cvss_score": 6.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4039",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-30741",
"severity": "critical",
"type": "code_injection",
"nvd_category_id": "CWE-94",
"title": "A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to...",
"description": "A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T16:16:41.530",
"references": [
"https://github.com/Named1ess/CVE-2026-30741",
"https://github.com/OpenClaw/OpenClaw",
"https://www.bilibili.com/video/BV1LoFazeEBM"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30741",
"exploitability_score": "high",
"exploitability_rationale": "No CVSS score available; requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "unknown"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32063",
"severity": "high",
"type": "command_injection",
"nvd_category_id": "CWE-77",
"title": "OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in system...",
"description": "OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T14:16:28.580",
"references": [
"https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w",
"https://www.vulncheck.com/advisories/openclaw-command-injection-via-newline-in-systemd-unit-generation"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32063",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32062",
"severity": "high",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to...",
"description": "OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T14:16:28.340",
"references": [
"https://github.com/openclaw/openclaw/commit/1d8968c8a821ff1a05c294a1846b3bcb6f343794",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j",
"https://www.vulncheck.com/advisories/openclaw-unauthenticated-websocket-resource-exhaustion-via-media-stream"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32062",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32061",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directiv...",
"description": "OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T14:16:28.140",
"references": [
"https://github.com/openclaw/openclaw/commit/d1c00dbb7c64a39e205464dae7f2a068420e91c1",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-56pc-6hvp-4gv4",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-include-directive-path-traversal"
],
"cvss_score": 4.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32061",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.4); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32060",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allo...",
"description": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T14:16:27.943",
"references": [
"https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437c7f1",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-crafted-paths"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32060",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-32059",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fail...",
"description": "OpenClaw version 2026.2.22-2 prior to 2026.2.23 tools.exec.safeBins validation for sort command fails to properly validate GNU long-option abbreviations, allowing attackers to bypass denied-flag checks via abbreviated options. Remote attackers can execute sort commands with abbreviated long options to skip approval requirements in allowlist mode.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-11T14:16:27.743",
"references": [
"https://github.com/openclaw/openclaw/commit/3b8e33037ae2e12af7beb56fcf0346f1f8cbde6f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78",
"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-sort-long-option-abbreviation-in-toolsexecsafebins"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32059",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29613",
"severity": "medium",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) we...",
"description": "OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operates behind a reverse proxy, unauthenticated remote attackers can inject arbitrary BlueBubbles message and reaction events by reaching the proxy endpoint.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:24.850",
"references": [
"https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a",
"https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xc7w-v5x6-cc87"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29613",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29612",
"severity": "medium",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing...",
"description": "OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:24.660",
"references": [
"https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding"
],
"cvss_score": 5.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29612",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.5); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29611",
"severity": "high",
"type": "unknown_cwe_73",
"nvd_category_id": "CWE-73",
"title": "OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles ext...",
"description": "OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:24.460",
"references": [
"https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv",
"https://www.vulncheck.com/advisories/openclaw-local-file-inclusion-via-mediapath-parameter-in-bluebubbles-media-handling"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29611",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29610",
"severity": "high",
"type": "unknown_cwe_427",
"nvd_category_id": "CWE-427",
"title": "OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers...",
"description": "OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution surfaces or those running OpenClaw in attacker-controlled directories can place malicious executables in PATH to override allowlisted safe-bin commands and achieve arbitrary command execution.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:24.253",
"references": [
"https://github.com/openclaw/openclaw/commit/013e8f6b3be3333a229a066eef26a45fec47ffcc",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jqpq-mgvm-f9r6",
"https://www.vulncheck.com/advisories/openclaw-command-hijacking-via-unsafe-path-handling"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29610",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29609",
"severity": "high",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard...",
"description": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote attackers can trigger memory exhaustion by serving oversized responses without content-length headers to cause availability loss.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:24.043",
"references": [
"https://github.com/openclaw/openclaw/commit/00a08908892d1743d1fc52e5cbd9499dd5da2fe0",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-j27p-hq53-9wgc",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-url-backed-media-fetch"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29609",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-29606",
"severity": "medium",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-ca...",
"description": "OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly reachable webhook endpoint without a valid X-Twilio-Signature header, resulting in unauthorized webhook event handling and potential request flooding attacks.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:23.850",
"references": [
"https://github.com/openclaw/openclaw/commit/ff11d8793b90c52f8d84dae3fbb99307da51b5c9",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-c37p-4qqg-3p76",
"https://www.vulncheck.com/advisories/openclaw-webhook-signature-verification-bypass-via-ngrok-loopback-compatibility"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29606",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28486",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive e...",
"description": "OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:openclaw:openclaw:2026.1.16-2:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:23.640",
"references": [
"https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-zip-slip-in-archive-extraction-via-installation-commands"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28486",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28485",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent...",
"description": "OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations. Remote attackers on the local network or local processes can execute arbitrary browser-context actions and access sensitive in-session data by sending requests to unauthenticated endpoints.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:23.440",
"references": [
"https://github.com/openclaw/openclaw/commit/9230a2ae14307740a13ada7afd6dcfab34e0287f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qpjj-47vm-64pj",
"https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser-control-http-endpoints"
],
"cvss_score": 8.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28485",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28482",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId par...",
"description": "OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files outside the agent sessions directory.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:23.013",
"references": [
"https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26",
"https://github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28482",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28481",
"severity": "medium",
"type": "unknown_cwe_201",
"nvd_category_id": "CWE-201",
"title": "OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in...",
"description": "OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403 responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, enabling token theft.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:22.810",
"references": [
"https://github.com/openclaw/openclaw/commit/41cc5bcd4f1d434ad1bbdfa55b56f25025ecbf6b",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7vwx-582j-j332",
"https://www.vulncheck.com/advisories/openclaw-bearer-token-leakage-via-ms-teams-attachment-downloader-suffix-matching"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28481",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28480",
"severity": "medium",
"type": "unknown_cwe_290",
"nvd_category_id": "CWE-290",
"title": "OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram al...",
"description": "OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:22.610",
"references": [
"https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128",
"https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28480",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28479",
"severity": "high",
"type": "risky_cryptographic_algorithm",
"nvd_category_id": "CWE-327",
"title": "OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and ...",
"description": "OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker can exploit SHA-1 collisions to cause cache poisoning, allowing one sandbox configuration to be misinterpreted as another and enabling unsafe sandbox state reuse.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:22.410",
"references": [
"https://github.com/openclaw/openclaw/commit/559c8d9930eebb5356506ff1a8cd3dbaec92be77",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-fh3f-q9qw-93j9",
"https://www.vulncheck.com/advisories/openclaw-cache-poisoning-via-deprecated-sha-hash-in-sandbox-configuration"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28479",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28478",
"severity": "high",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers t...",
"description": "OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can send oversized JSON payloads or slow uploads to webhook endpoints causing memory pressure and availability degradation.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:22.210",
"references": [
"https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28478",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28477",
"severity": "high",
"type": "cross_site_request_forgery",
"nvd_category_id": "CWE-352",
"title": "OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the m...",
"description": "OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:22.007",
"references": [
"https://github.com/openclaw/openclaw/commit/a99ad11a4107ba8eac58f54a3c1a8a0cf5686f47",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7rcp-mxpq-72pj",
"https://www.vulncheck.com/advisories/openclaw-oauth-state-validation-bypass-in-manual-chutes-login-flow"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28477",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28476",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the opti...",
"description": "OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence the configured Urbit URL can induce the gateway to make HTTP requests to arbitrary hosts including internal addresses.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:21.807",
"references": [
"https://github.com/openclaw/openclaw/commit/bfa7d21e997baa8e3437657d59b1e296815cc1b1",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-pg2v-8xwh-qhcc",
"https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-in-tlon-extension-authentication"
],
"cvss_score": 8.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28476",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.3); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28475",
"severity": "medium",
"type": "unknown_cwe_208",
"nvd_category_id": "CWE-208",
"title": "OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validati...",
"description": "OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually recover the authentication token.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:21.617",
"references": [
"https://github.com/openclaw/openclaw/commit/113ebfd6a23c4beb8a575d48f7482593254506ec",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-47q7-97xp-m272",
"https://www.vulncheck.com/advisories/openclaw-timing-attack-via-hook-token-comparison"
],
"cvss_score": 4.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28475",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28474",
"severity": "critical",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable ...",
"description": "OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and gain unauthorized access to restricted conversations.",
"affected": [
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:21.423",
"references": [
"https://github.com/openclaw/openclaw/commit/6b4b6049b47c3329a7014509594647826669892d",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r5h9-vjqc-hq3r",
"https://www.vulncheck.com/advisories/openclaw-nextcloud-talk-allowlist-bypass-via-actorname-display-name-spoofing"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28474",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28473",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with...",
"description": "OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat command. The /approve command path invokes exec.approval.resolve through an internal privileged gateway client, bypassing the operator.approvals permission check that protects direct RPC calls.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:21.220",
"references": [
"https://github.com/openclaw/openclaw/commit/efe2a464afcff55bb5a95b959e6bd9ec0fef086e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mqpw-46fh-299h",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-approve-chat-command"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28473",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28472",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handsha...",
"description": "OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting the presence check instead of validation, potentially gaining operator access in vulnerable deployments.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:21.017",
"references": [
"https://github.com/openclaw/openclaw/commit/fe81b1d7125a014b8280da461f34efbf5f761575",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rv39-79c4-7459",
"https://www.vulncheck.com/advisories/openclaw-device-identity-check-bypass-in-gateway-websocket-connect-handshake"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28472",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28471",
"severity": "medium",
"type": "improper_authentication",
"nvd_category_id": "CWE-287",
"title": "OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contai...",
"description": "OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender display names and localparts without homeserver validation. Remote Matrix users can impersonate allowed identities by using attacker-controlled display names or matching localparts from different homeservers to reach the routing and agent pipeline.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:20.817",
"references": [
"https://github.com/openclaw/openclaw/commit/8f3bfbd1c4fb967a2ddb5b4b9a05784920814bcf",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rmxw-jxxx-4cpc",
"https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-displayname-and-cross-homeserver-localpart-matching-in-matrix"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28471",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28470",
"severity": "critical",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vul...",
"description": "OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution syntax. Attackers can bypass the allowlist protection by embedding unescaped $() or backticks inside double-quoted strings to execute unauthorized commands.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:20.607",
"references": [
"https://github.com/openclaw/openclaw/commit/d1ecb46076145deb188abcba8f0699709ea17198",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3hcm-ggvf-rch5",
"https://www.vulncheck.com/advisories/openclaw-exec-allowlist-bypass-via-command-substitution-in-double-quotes"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28470",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28469",
"severity": "high",
"type": "insecure_direct_object_reference",
"nvd_category_id": "CWE-639",
"title": "OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat moni...",
"description": "OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets share the same HTTP path. Attackers can exploit first-match request verification semantics to process inbound webhook events under incorrect account contexts, bypassing intended allowlists and session policies.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:20.407",
"references": [
"https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248",
"https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28469",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28468",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser...",
"description": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local attackers to access browser control endpoints. A local attacker can enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:20.197",
"references": [
"https://github.com/openclaw/openclaw/commit/4711a943e30bc58016247152ba06472dab09d0b0",
"https://github.com/openclaw/openclaw/commit/6dd6bce997c48752134f2d6ed89b27de01ced7e3",
"https://github.com/openclaw/openclaw/commit/cd84885a4ac78eadb7bf321aae98db9519426d67"
],
"cvss_score": 7.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28468",
"exploitability_score": "medium",
"exploitability_rationale": "High CVSS score (7.7); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28467",
"severity": "medium",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachmen...",
"description": "OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can trigger SSRF to internal resources and exfiltrate fetched response bytes as outbound attachments.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:19.997",
"references": [
"https://github.com/openclaw/openclaw/commit/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae",
"https://github.com/openclaw/openclaw/commit/9bd64c8a1f91dda602afc1d5246a2ff2be164647",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wfp2-v9c7-fh79"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28467",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28466",
"severity": "critical",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to san...",
"description": "OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject approval control fields to execute arbitrary commands on connected node hosts, potentially compromising developer workstations and CI runners.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:19.790",
"references": [
"https://github.com/openclaw/openclaw/commit/0af76f5f0e93540efbdf054895216c398692afcd",
"https://github.com/openclaw/openclaw/commit/318379cdb8d045da0009b0051bd0e712e5c65e2d",
"https://github.com/openclaw/openclaw/commit/a7af646fdab124a7536998db6bd6ad567d2b06b0"
],
"cvss_score": 9.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28466",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28465",
"severity": "medium",
"type": "unknown_cwe_290",
"nvd_category_id": "CWE-290",
"title": "OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerabili...",
"description": "OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:19.593",
"references": [
"https://github.com/openclaw/openclaw/commit/a749db9820eb6d6224032a5a34223d286d2dcc2f",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3m3q-x3gj-f79x",
"https://www.vulncheck.com/advisories/openclaw-voice-call-webhook-verification-bypass-via-forwarded-headers"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28465",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28464",
"severity": "medium",
"type": "unknown_cwe_208",
"nvd_category_id": "CWE-208",
"title": "OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validati...",
"description": "OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually determine the authentication token.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:19.393",
"references": [
"https://github.com/openclaw/openclaw/commit/113ebfd6a23c4beb8a575d48f7482593254506ec",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jmm5-fvh5-gf4p",
"https://www.vulncheck.com/advisories/openclaw-timing-attack-in-hooks-token-authentication"
],
"cvss_score": 5.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28464",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.9); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28463",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses rea...",
"description": "OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion, allowing safe bins like head, tail, or grep to read arbitrary local files via glob patterns or environment variables. Authorized callers or prompt-injection attacks can exploit this to disclose files readable by the gateway or node process when host execution is enabled in allowlist mode.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:19.127",
"references": [
"https://github.com/openclaw/openclaw/commit/77b89719d5b7e271f48b6f49e334a8b991468c3b",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xvhf-x56f-2hpp",
"https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-shell-expansion-in-safe-bins-allowlist"
],
"cvss_score": 8.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28463",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28462",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it ...",
"description": "OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in POST /trace/stop, POST /wait/download, and POST /download endpoints to write files outside intended temp roots.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:18.873",
"references": [
"https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-gq9c-wg68-gwj2",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-in-trace-and-download-output-paths"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28462",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28459",
"severity": "high",
"type": "unknown_cwe_73",
"nvd_category_id": "CWE-73",
"title": "OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authe...",
"description": "OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append data repeatedly, potentially causing configuration corruption or denial of service.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:18.670",
"references": [
"https://github.com/openclaw/openclaw/commit/25950bcbb8ba4d8cde002557f6e27c219ae4deda",
"https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28459",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28458",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extensio...",
"description": "OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication tokens, allowing websites to connect via loopback and access sensitive data. Attackers can exploit this by connecting to ws://127.0.0.1:18792/cdp to steal session cookies and execute JavaScript in other browser tabs.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:18.457",
"references": [
"https://github.com/openclaw/openclaw/commit/a1e89afcc19efd641c02b24d66d689f181ae2b5c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mr32-vwc2-5j6h",
"https://www.vulncheck.com/advisories/openclaw-missing-authentication-in-browser-relay-cdp-websocket-endpoint"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28458",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28457",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirrori...",
"description": "OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences like ../ or absolute paths in the name field can write files outside the sandbox workspace root directory.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:18.227",
"references": [
"https://github.com/openclaw/openclaw/commit/3eb6a31b6fcf8268456988bfa8e3637d373438c2",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xw4p-pw82-hqr7",
"https://www.vulncheck.com/advisories/openclaw-path-traversal-in-sandbox-skill-mirroring-via-name-parameter"
],
"cvss_score": 6.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28457",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.1); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28456",
"severity": "high",
"type": "unknown_cwe_427",
"nvd_category_id": "CWE-427",
"title": "OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it doe...",
"description": "OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), allowing code execution. An attacker with gateway configuration modification access can load and execute unintended local modules in the Node.js process.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:18.020",
"references": [
"https://github.com/openclaw/openclaw/commit/35c0e66ed057f1a9f7ad2515fdcef516bd6584ce",
"https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v6c6-vqqg-w888"
],
"cvss_score": 7.2,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28456",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.2); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28454",
"severity": "high",
"type": "unknown_cwe_345",
"nvd_category_id": "CWE-345",
"title": "OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must ...",
"description": "OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker-controlled JSON payloads. Remote attackers can forge Telegram updates by spoofing message.from.id and chat.id fields to bypass sender allowlists and execute privileged bot commands.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:17.817",
"references": [
"https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930",
"https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670",
"https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28454",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28453",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, all...",
"description": "OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction boundaries, potentially enabling configuration tampering and code execution.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:17.617",
"references": [
"https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-p25h-9q54-ffvw",
"https://www.vulncheck.com/advisories/openclaw-zip-slip-path-traversal-in-tar-archive-extraction"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28453",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28452",
"severity": "medium",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive...",
"description": "OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:17.410",
"references": [
"https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea",
"https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj"
],
"cvss_score": 5.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28452",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.5); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28451",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feis...",
"description": "OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls through direct manipulation or prompt injection to trigger requests to internal services and re-upload responses as Feishu media.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:17.210",
"references": [
"https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-x22m-j5qq-j49m",
"https://www.vulncheck.com/advisories/openclaw-ssrf-via-feishu-extension-media-fetching"
],
"cvss_score": 8.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28451",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.3); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28450",
"severity": "medium",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated H...",
"description": "OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attackers can exploit these endpoints to read sensitive profile data, modify Nostr profiles, persist malicious changes to gateway configuration, and publish signed Nostr events using the bot's private key when the gateway HTTP port is accessible beyond localhost.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:17.003",
"references": [
"https://github.com/openclaw/openclaw/commit/647d929c9d0fd114249230d939a5cb3b36dc70e7",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mv9j-6xhh-g383",
"https://www.vulncheck.com/advisories/openclaw-unauthenticated-profile-tampering-via-nostr-plugin-http-endpoints"
],
"cvss_score": 6.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28450",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.8); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28448",
"severity": "high",
"type": "improper_authorization",
"nvd_category_id": "CWE-285",
"title": "OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be ...",
"description": "OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can mention the bot in Twitch chat to bypass access control and invoke the agent pipeline, potentially causing unintended actions or resource exhaustion.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:16.803",
"references": [
"https://github.com/openclaw/openclaw/commit/8c7901c984866a776eb59662dc9d8b028de4f0d0",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-33rq-m5x2-fvgf",
"https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-twitch-plugin-allowfrom-access-control"
],
"cvss_score": 7.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28448",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28447",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugi...",
"description": "OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files outside the intended installation directory when victims run the plugins install command.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:16.600",
"references": [
"https://github.com/openclaw/openclaw/commit/d03eca8450dc493b198a88b105fd180895238e57",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qrq5-wjgg-rvqw",
"https://www.vulncheck.com/advisories/openclaw-beta-path-traversal-in-plugin-installation-via-package-name"
],
"cvss_score": 8.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28447",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.1); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28446",
"severity": "critical",
"type": "unknown_cwe_303",
"nvd_category_id": "CWE-303",
"title": "OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an a...",
"description": "OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers can bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits to reach the voice-call agent and execute tools.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:16.390",
"references": [
"https://github.com/openclaw/openclaw/commit/f8dfd034f5d9235c5485f492a9e4ccc114e97fdb",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-4rj2-gpmh-qq5x",
"https://www.vulncheck.com/advisories/openclaw-inbound-allowlist-policy-bypass-in-voice-call-extension-via-empty-caller-id"
],
"cvss_score": 9.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28446",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.4); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28395",
"severity": "medium",
"type": "unknown_cwe_1327",
"nvd_category_id": "CWE-1327",
"title": "OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in...",
"description": "OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token header.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:16.173",
"references": [
"https://github.com/openclaw/openclaw/commit/8d75a496bf5aaab1755c56cf48502d967c75a1d0",
"https://github.com/openclaw/openclaw/commit/a1e89afcc19efd641c02b24d66d689f181ae2b5c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qw99-grcx-4pvm"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28395",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28394",
"severity": "medium",
"type": "unknown_cwe_770",
"nvd_category_id": "CWE-770",
"title": "OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool...",
"description": "OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into fetching malicious URLs with pathological HTML structures to exhaust server memory and cause service unavailability.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:15.973",
"references": [
"https://github.com/openclaw/openclaw/commit/166cf6a3e04c7df42bea70a7ad5ce2b9df46d147",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-p536-vvpp-9mc8",
"https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-response-parsing-in-web-fetch-tool"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28394",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28393",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook tran...",
"description": "OpenClaw versions 2.0.0-beta3 prior to 2026.2.14 contain a path traversal vulnerability in hook transform module loading that allows arbitrary JavaScript execution. The hooks.mappings[].transform.module parameter accepts absolute paths and traversal sequences, enabling attackers with configuration write access to load and execute malicious modules with gateway process privileges.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:openclaw:openclaw:2.0.0:beta3:*:*:*:node.js:*:*",
"cpe:2.3:a:openclaw:openclaw:2.0.0:beta4:*:*:*:node.js:*:*",
"cpe:2.3:a:openclaw:openclaw:2.0.0:beta5:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:15.767",
"references": [
"https://github.com/openclaw/openclaw/commit/18e8bd68c5015a894f999c6d5e6e32468965bfb5",
"https://github.com/openclaw/openclaw/commit/a0361b8ba959e8506dc79d638b6e6a00d12887e4",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7xhj-55q9-pc3m"
],
"cvss_score": 7.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28393",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.7); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28392",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash...",
"description": "OpenClaw versions prior to 2026.2.14 contain a privilege escalation vulnerability in the Slack slash-command handler that incorrectly authorizes any direct message sender when dmPolicy is set to open (must be configured). Attackers can execute privileged slash commands via direct message to bypass allowlist and access-group restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:15.567",
"references": [
"https://github.com/openclaw/openclaw/commit/f19eabee54c49e9a2e264b4965edf28a2f92e657",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-v773-r54f-q32w",
"https://www.vulncheck.com/advisories/openclaw-privilege-escalation-in-slack-slash-command-handler-via-direct-messages"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28392",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28391",
"severity": "critical",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allo...",
"description": "OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests (non-default configuration), allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...% to execute unapproved commands beyond the allowlisted operations.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-03-05T22:16:15.360",
"references": [
"https://github.com/openclaw/openclaw/commit/a7f4a53ce80c98ba1452eb90802d447fca9bf3d6",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-qj77-c3c8-9c3q",
"https://www.vulncheck.com/advisories/openclaw-command-injection-via-cmdexe-parsing-bypass-in-allowlist-enforcement"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28391",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-28363",
"severity": "critical",
"type": "unknown_cwe_184",
"nvd_category_id": "CWE-184",
"title": "In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long...",
"description": "In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations (such as --compress-prog) in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was denied.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-27T04:16:03.227",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78"
],
"cvss_score": 9.9,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28363",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.9); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27576",
"severity": "medium",
"type": "uncontrolled_resource_consumption",
"nvd_category_id": "CWE-400",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very la...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the ACP bridge accepts very large prompt text blocks and can assemble oversized prompt payloads before forwarding them to chat.send. Because ACP runs over local stdio, this mainly affects local ACP clients (for example IDE integrations) that send unusually large inputs. This issue has been fixed in version 2026.2.19.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:13.437",
"references": [
"https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c",
"https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68",
"https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a"
],
"cvss_score": 4.0,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27576",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (4.0); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27488",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/g...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch() directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:13.267",
"references": [
"https://github.com/openclaw/openclaw/commit/99db4d13e5c139883ef0def9ff963e9273179655",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.19",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w45g-5746-x9fp"
],
"cvss_score": 7.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27488",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.3); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27487",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude C...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, this created an OS command injection risk. This issue has been fixed in version 2026.2.14.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:13.100",
"references": [
"https://github.com/openclaw/openclaw/commit/66d7178f2d6f9d60abad35797f97f3e61389b70c",
"https://github.com/openclaw/openclaw/commit/9dce3d8bf83f13c067bc3c32291643d2f1f10a06",
"https://github.com/openclaw/openclaw/commit/b908388245764fb3586859f44d1dff5372b19caf"
],
"cvss_score": 7.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27487",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.6); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27486",
"severity": "medium",
"type": "unknown_cwe_283",
"nvd_category_id": "CWE-283",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the proces...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw process. On shared hosts, unrelated processes can be terminated if they match the pattern. The CLI runner cleanup helpers can kill processes matched by command-line patterns without validating process ownership. This issue has been fixed in version 2026.2.14.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:12.903",
"references": [
"https://github.com/openclaw/openclaw/commit/6084d13b956119e3cf95daaf9a1cae1670ea3557",
"https://github.com/openclaw/openclaw/commit/eb60e2e1b213740c3c587a7ba4dbf10da620ca66",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
],
"cvss_score": 5.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27486",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (5.3); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27485",
"severity": "medium",
"type": "unknown_cwe_61",
"nvd_category_id": "CWE-61",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/p...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. If exploited, this vulnerability can lead to potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact, but requires local execution of the packaging script on attacker-controlled skill contents. This issue has been fixed in version 2026.2.18.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:12.723",
"references": [
"https://github.com/openclaw/openclaw/commit/c275932aa4230fb7a8212fe1b9d2a18424874b3f",
"https://github.com/openclaw/openclaw/commit/ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0",
"https://github.com/openclaw/openclaw/pull/20796"
],
"cvss_score": 4.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27485",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.4); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27484",
"severity": "medium",
"type": "missing_authorization",
"nvd_category_id": "CWE-862",
"title": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action ...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user can request moderation actions by spoofing sender identity fields. This issue has been fixed in version 2026.2.18.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-21T10:16:12.557",
"references": [
"https://github.com/openclaw/openclaw/commit/775816035ecc6bb243843f8000c9a58ff609e32d",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.19",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-wh94-p5m6-mr7j"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27484",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27009",
"severity": "medium",
"type": "cross_site_scripting",
"nvd_category_id": "CWE-79",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw ...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a atored XSS issue in the OpenClaw Control UI when rendering assistant identity (name/avatar) into an inline `` could break out of the script tag and execute attacker-controlled JavaScript in the Control UI origin. Version 2026.2.15 removed inline script injection and serve bootstrap config from a JSON endpoint and added a restrictive Content Security Policy for the Control UI (`script-src 'self'`, no inline scripts).",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:17.620",
"references": [
"https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e",
"https://github.com/openclaw/openclaw/commit/adc818db4a4b3b8d663e7674ef20436947514e1b",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
],
"cvss_score": 5.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27009",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.8); requires local access; XSS has limited impact in headless agents",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27008",
"severity": "medium",
"type": "unknown_cwe_73",
"nvd_category_id": "CWE-73",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installat...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only `skills.install` flow, this could write files outside the intended install sandbox. Version 2026.2.15 contains a fix for the issue.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:17.460",
"references": [
"https://github.com/openclaw/openclaw/commit/2363e1b0853a028e47f90dcc1066e3e9809d65f1",
"https://github.com/openclaw/openclaw/commit/b6305e97256d67e439719faacf5af3de9727d6e1",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15"
],
"cvss_score": 6.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27008",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.7); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27007",
"severity": "low",
"type": "unknown_cwe_1254",
"nvd_category_id": "CWE-1254",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/s...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenClaw sandbox flows, this hash is used to decide whether existing sandbox containers should be recreated. As a result, order-only config changes (for example Docker `dns` and `binds` array order) could be treated as unchanged and stale containers could be reused. This is a configuration integrity issue affecting sandbox recreation behavior. Starting in version 2026.2.15, array ordering is preserved during hash normalization; only object key ordering remains normalized for deterministic hashing.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:17.303",
"references": [
"https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp"
],
"cvss_score": 3.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27007",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.3); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27004",
"severity": "medium",
"type": "unknown_cwe_209",
"nvd_category_id": "CWE-209",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, O...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally trusted. In Telegram webhook mode, monitor startup also did not fall back to per-account `webhookSecret` when only the account-level secret was configured. In shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. In single-agent or trusted environments, practical impact is limited. In Telegram webhook mode, account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided. Version 2026.2.15 fixes the issue.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:17.140",
"references": [
"https://github.com/openclaw/openclaw/commit/c6c53437f7da033b94a01d492e904974e7bda74c",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-6hf3-mhgc-cm65"
],
"cvss_score": 5.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27004",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.5); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27003",
"severity": "medium",
"type": "unknown_cwe_522",
"nvd_category_id": "CWE-522",
"title": "OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack trac...",
"description": "OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot/...`). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles. Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access. Users should upgrade to version 2026.2.15 to obtain a fix and rotate the Telegram bot token if it may have been exposed.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:16.983",
"references": [
"https://github.com/openclaw/openclaw/commit/cf69907015b659e5025efb735ee31bd05c4ee3d5",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-chf7-jq6g-qrwv"
],
"cvss_score": 5.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27003",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (5.5); requires local access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27002",
"severity": "critical",
"type": "execution_with_unnecessary_privileges",
"nvd_category_id": "CWE-250",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in ...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 blocks dangerous sandbox Docker settings and includes runtime enforcement when building `docker create` args; config-schema validation for `network=host`, `seccompProfile=unconfined`, `apparmorProfile=unconfined`; and security audit findings to surface dangerous sandbox docker config. As a workaround, do not configure `agents.*.sandbox.docker.binds` to mount system directories or Docker socket paths, keep `agents.*.sandbox.docker.network` at `none` (default) or `bridge`, and do not use `unconfined` for seccomp/AppArmor profiles.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:16.827",
"references": [
"https://github.com/openclaw/openclaw/commit/887b209db47f1f9322fead241a1c0b043fd38339",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-w235-x559-36mg"
],
"cvss_score": 9.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27002",
"exploitability_score": "high",
"exploitability_rationale": "Critical CVSS score (9.8); remotely exploitable without authentication; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-27001",
"severity": "high",
"type": "command_injection",
"nvd_category_id": "CWE-77",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current worki...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is sanitized before it is embedded into any LLM prompt output, stripping Unicode control/format characters and explicit line/paragraph separators. Workspace path resolution also applies the same sanitization as defense-in-depth.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:16.653",
"references": [
"https://github.com/openclaw/openclaw/commit/6254e96acf16e70ceccc8f9b2abecee44d606f79",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.15",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-2qj5-gwg2-xwc4"
],
"cvss_score": 7.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27001",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.8); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26972",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser downl...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory. This issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token. Version 2026.2.13 fixes the issue.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:16.500",
"references": [
"https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.13",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-xwjm-j929-xq7c"
],
"cvss_score": 6.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26972",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.7); requires local access; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26329",
"severity": "medium",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read ar...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root. An attacker must reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints); present valid Gateway auth (bearer token / password), as required by the Gateway configuration (In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback); and have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled). If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly. Starting in version 2026.2.14, the upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:15.687",
"references": [
"https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26329",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26328",
"severity": "medium",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowli...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-20T00:16:15.523",
"references": [
"https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26328",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26327",
"severity": "medium",
"type": "unknown_cwe_345",
"nvd_category_id": "CWE-345",
"title": "OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records...",
"description": "OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthenticated. Prior to version 2026.2.14, some clients treated TXT values as authoritative routing/pinning inputs. iOS and macOS used TXT-provided host hints (`lanHost`/`tailnetDns`) and ports (`gatewayPort`) to build the connection URL. iOS and Android allowed the discovery-provided TLS fingerprint (`gatewayTlsSha256`) to override a previously stored TLS pin. On a shared/untrusted LAN, an attacker could advertise a rogue `_openclaw-gw._tcp` service. This could cause a client to connect to an attacker-controlled endpoint and/or accept an attacker certificate, potentially exfiltrating Gateway credentials (`auth.token` / `auth.password`) during connection. As of time of publication, the iOS and Android apps are alpha/not broadly shipped (no public App Store / Play Store release). Practical impact is primarily limited to developers/testers running those builds, plus any other shipped clients relying on discovery on a shared/untrusted LAN. Version 2026.2.14 fixes the issue. Clients now prefer the resolved service endpoint (SRV + A/AAAA) over TXT-provided routing hints. Discovery-provided fingerprints no longer override stored TLS pins. In iOS/Android, first-time TLS pins require explicit user confirmation (fingerprint shown; no silent TOFU) and discovery-based direct connects are TLS-only. In Android, hostname verification is no longer globally disabled (only bypassed when pinning).",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:26.100",
"references": [
"https://github.com/openclaw/openclaw/commit/d583782ee322a6faa1fe87ae52455e0d349de586",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-pv58-549p-qh99"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26327",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26326",
"severity": "medium",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secr...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secrets to `operator.read` clients by returning raw resolved config values in `configChecks` for skill `requires.config` paths. Version 2026.2.14 stops including raw resolved config values in requirement checks (return only `{ path, satisfied }`) and narrows the Discord skill requirement to the token key. In addition to upgrading, users should rotate any Discord tokens that may have been exposed to read-scoped clients.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.950",
"references": [
"https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a",
"https://github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
],
"cvss_score": 4.3,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26326",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (4.3); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26325",
"severity": "high",
"type": "improper_access_control",
"nvd_category_id": "CWE-284",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the node host / companion node execution path (`system.run` on a node), enable allowlist-based exec policy (`security=allowlist`) with approval prompting driven by allowlist misses (for example `ask=on-miss`), allow an attacker to invoke `system.run`. Default/non-node configurations are not affected. Version 2026.2.14 enforces `rawCommand`/`command[]` consistency (gateway fail-fast + node host validation).",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.800",
"references": [
"https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476"
],
"cvss_score": 7.2,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26325",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.2); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26324",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0.0.1`). This could allow requests that should be blocked (loopback / private network / link-local metadata) to pass the SSRF guard. Version 2026.2.14 patches the issue.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.653",
"references": [
"https://github.com/openclaw/openclaw/commit/c0c0e0f9aecb913e738742f73e091f2f72d39a19",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26324",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26323",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in...",
"description": "OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout that contains a malicious commit author email (e.g. crafted `@users[.]noreply[.]github[.]com` values). Normal CLI usage is not affected (`npm i -g openclaw`): this script is not part of the shipped CLI and is not executed during routine operation. The script derived a GitHub login from `git log` author metadata and interpolated it into a shell command (via `execSync`). A malicious commit record could inject shell metacharacters and execute arbitrary commands when the script is run. Version 2026.2.14 contains a patch.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.500",
"references": [
"https://github.com/openclaw/openclaw/commit/a429380e337152746031d290432a4b93aa553d55",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-m7x8-2w3w-pr42"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26323",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26322",
"severity": "high",
"type": "server_side_request_forgery",
"nvd_category_id": "CWE-918",
"title": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted ...",
"description": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invoke tools that accept `gatewayUrl` overrides (directly or indirectly). In typical setups this is limited to authenticated operators, trusted automation, or environments where tool calls are exposed to non-operators. In other words, this is not a drive-by issue for arbitrary internet users unless a deployment explicitly allows untrusted users to trigger these tool calls. Some tool call paths allowed `gatewayUrl` overrides to flow into the Gateway WebSocket client without validation or allowlisting. This meant the host could be instructed to attempt connections to non-gateway endpoints (for example, localhost services, private network addresses, or cloud metadata IPs). In the common case, this results in an outbound connection attempt from the OpenClaw host (and corresponding errors/timeouts). In environments where the tool caller can observe the results, this can also be used for limited network reachability probing. If the target speaks WebSocket and is reachable, further interaction may be possible. Starting in version 2026.2.14, tool-supplied `gatewayUrl` overrides are restricted to loopback (on the configured gateway port) or the configured `gateway.remote.url`. Disallowed protocols, credentials, query/hash, and non-root paths are rejected.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.340",
"references": [
"https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf"
],
"cvss_score": 7.6,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26322",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.6); network accessible; SSRF affects agents making external requests",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26321",
"severity": "high",
"type": "path_traversal",
"nvd_category_id": "CWE-22",
"title": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previ...",
"description": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd` as `mediaUrl`. Upgrade to OpenClaw `2026.2.14` or newer to receive a fix. The fix removes direct local file reads from this path and routes media loading through hardened helpers that enforce local-root restrictions.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.180",
"references": [
"https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26321",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26320",
"severity": "medium",
"type": "unknown_cwe_451",
"nvd_category_id": "CWE-451",
"title": "OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL s...",
"description": "OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full message after the user clicked \"Run.\" At the time of writing, the OpenClaw macOS desktop client is still in beta. In versions 2026.2.6 through 2026.2.13, an attacker could pad the message with whitespace to push a malicious payload outside the visible preview, increasing the chance a user approves a different message than the one that is actually executed. If a user runs the deep link, the agent may perform actions that can lead to arbitrary command execution depending on the user's configured tool approvals/allowlists. This is a social-engineering mediated vulnerability: the confirmation prompt could be made to misrepresent the executed message. The issue is fixed in 2026.2.14. Other mitigations include not approve unexpected \"Run OpenClaw agent?\" prompts triggered while browsing untrusted sites and usingunattended deep links only with a valid `key` for trusted personal automations.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:25.017",
"references": [
"https://github.com/openclaw/openclaw/commit/28d9dd7a772501ccc3f71457b4adfee79084fe6f",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-7q2j-c4q5-rm27"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26320",
"exploitability_score": "medium",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26319",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice...",
"description": "OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are expected to be authenticated via Ed25519 signature verification. In affected versions, TelnyxProvider.verifyWebhook() could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy). The issue has been fixed in version 2026.2.14.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T23:16:24.857",
"references": [
"https://github.com/openclaw/openclaw/commit/29b587e73cbdc941caec573facd16e87d52f007b",
"https://github.com/openclaw/openclaw/commit/f47584fec86d6d73f2d483043a2ad0e7e3c50411",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26319",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26317",
"severity": "high",
"type": "cross_site_request_forgery",
"nvd_category_id": "CWE-352",
"title": "OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes ac...",
"description": "OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A malicious website can trigger unauthorized state changes against a victim's local OpenClaw browser control plane (for example opening tabs, starting/stopping the browser, mutating storage/cookies) if the browser control service is reachable on loopback in the victim's browser context. Starting in version 2026.2.14, mutating HTTP methods (POST/PUT/PATCH/DELETE) are rejected when the request indicates a non-loopback Origin/Referer (or `Sec-Fetch-Site: cross-site`). Other mitigations include enabling browser control auth (token/password) and avoid running with auth disabled.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T22:16:47.270",
"references": [
"https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.14",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q"
],
"cvss_score": 7.1,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26317",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.1); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-26316",
"severity": "high",
"type": "incorrect_authorization",
"nvd_category_id": "CWE-863",
"title": "OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel p...",
"description": "OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Version 2026.2.13 contains a patch. Other mitigations include setting a non-empty BlueBubbles webhook password and avoiding deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T22:16:47.110",
"references": [
"https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a",
"https://github.com/openclaw/openclaw/commit/f836c385ffc746cb954e8ee409f99d079bfdcd2f",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.13"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26316",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-25474",
"severity": "high",
"type": "unknown_cwe_345",
"nvd_category_id": "CWE-345",
"title": "OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSe...",
"description": "OpenClaw is a personal AI assistant. In versions 2026.1.30 and below, if channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates (for example spoofing message.from.id). If an attacker can reach the webhook endpoint, they may be able to send forged updates that are processed as if they came from Telegram. Depending on enabled commands/tools and configuration, this could lead to unintended bot actions. Note: Telegram webhook mode is not enabled by default. It is enabled only when `channels.telegram.webhookUrl` is configured. This issue has been fixed in version 2026.2.1.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T07:17:45.847",
"references": [
"https://github.com/openclaw/openclaw/commit/3cbcba10cf30c2ffb898f0d8c7dfb929f15f8930",
"https://github.com/openclaw/openclaw/commit/5643a934799dc523ec2ef18c007e1aa2c386b670",
"https://github.com/openclaw/openclaw/commit/633fe8b9c17f02fcc68ecdb5ec212a5ace932f09"
],
"cvss_score": 7.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25474",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.5); remotely exploitable without authentication",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-24764",
"severity": "low",
"type": "unknown_cwe_74",
"nvd_category_id": "CWE-74",
"title": "OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions ...",
"description": "OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven systems. This issue increases the injection surface by allowing untrusted Slack channel metadata to be treated as higher-trust system input. This issue has been fixed in version 2026.2.3.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-19T07:17:44.957",
"references": [
"https://github.com/openclaw/openclaw/commit/35eb40a7000b59085e9c638a80fd03917c7a095e",
"https://github.com/openclaw/openclaw/releases/tag/v2026.2.3",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-782p-5fr5-7fj8"
],
"cvss_score": 3.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24764",
"exploitability_score": "low",
"exploitability_rationale": "Low CVSS score (3.7); network accessible",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-25593",
"severity": "high",
"type": "missing_authentication_for_critical_function",
"nvd_category_id": "CWE-306",
"title": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use t...",
"description": "OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-06T21:16:17.790",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg"
],
"cvss_score": 8.4,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25593",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.4); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-25475",
"severity": "medium",
"type": "exposure_of_sensitive_information",
"nvd_category_id": "CWE-200",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-04T20:16:07.287",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-r8g4-86fx-92mq"
],
"cvss_score": 6.5,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25475",
"exploitability_score": "high",
"exploitability_rationale": "Medium CVSS score (6.5); network accessible; path traversal affects agents with file access",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-25157",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vu...",
"description": "OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-04T20:16:06.577",
"references": [
"https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585"
],
"cvss_score": 7.7,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25157",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (7.7); requires local access; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": false,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "high"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-24763",
"severity": "high",
"type": "os_command_injection",
"nvd_category_id": "CWE-78",
"title": "OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026....",
"description": "OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-02T23:16:08.593",
"references": [
"https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75",
"https://github.com/openclaw/openclaw/releases/tag/v2026.1.29",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24763",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": true,
"requires_user_interaction": false,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
},
{
"id": "CVE-2026-25253",
"severity": "high",
"type": "incorrect_resource_transfer_between_spheres",
"nvd_category_id": "CWE-669",
"title": "OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string a...",
"description": "OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.",
"affected": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
"openclaw@*"
],
"platforms": [
"openclaw"
],
"action": "Review and update affected components. See NVD for remediation details.",
"published": "2026-02-01T23:15:49.717",
"references": [
"https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys",
"https://ethiack.com/news/blog/one-click-rce-moltbot",
"https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq"
],
"cvss_score": 8.8,
"nvd_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253",
"exploitability_score": "high",
"exploitability_rationale": "High CVSS score (8.8); network accessible; RCE is critical in agent deployments",
"attack_vector_analysis": {
"is_network_accessible": true,
"requires_authentication": false,
"requires_user_interaction": true,
"complexity": "low"
},
"exploit_detection": {
"exploit_available": false,
"exploit_sources": []
}
}
]
}