Vulnerabilities in openclaw
537 resultsCVE-2026-28450HIGHOpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP EndpointsEPSS 0.3%CVE-2026-41404HIGHOpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy AuthenticationEPSS 0.3%CVE-2026-41363MEDIUMOpenClaw 2026.2.6 < 2026.3.28 - Arbitrary File Read via Feishu upload_image ParameterEPSS 0.3%CVE-2026-22171HIGHOpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File NamingEPSS 0.3%CVE-2026-31992HIGHOpenClaw < 2026.2.23 - Allowlist Exec-Guard Bypass via env -SEPSS 0.3%CVE-2026-8629HIGHCrabbox < v0.12.0 Privilege Escalation via Agent Ticket EndpointsEPSS 0.3%CVE-2026-32053MEDIUMOpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID NormalizationEPSS 0.3%CVE-2026-26322HIGHOpenClaw Gateway tool allowed unrestricted gatewayUrl overrideEPSS 0.3%CVE-2026-32057MEDIUMOpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id ParameterEPSS 0.3%CVE-2026-32033MEDIUMOpenClaw < 2026.2.24 - Path Traversal via @-prefixed Absolute Paths in Workspace Boundary ValidationEPSS 0.3%CVE-2026-32975MEDIUMOpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser AllowlistEPSS 0.3%CVE-2026-41353HIGHOpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime SelectionEPSS 0.3%CVE-2026-43528HIGHOpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig AliasesEPSS 0.3%CVE-2026-22175HIGHOpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell WrappersEPSS 0.3%CVE-2026-34503HIGHOpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token RevocationEPSS 0.3%CVE-2026-32920HIGHOpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace PluginsEPSS 0.3%CVE-2026-41375HIGHOpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm EndpointsEPSS 0.3%CVE-2026-41351MEDIUMOpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encodingEPSS 0.3%CVE-2026-41386CRITICALOpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup CodesEPSS 0.3%CVE-2026-27488MEDIUMOpenClaw hardened cron webhook delivery against SSRFEPSS 0.3%