Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12556
Total
848
Critical
3598
High
3935
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-42431 | HIGH | 8.1 | OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the … | Apr 28, 2026 |
| CVE-2026-42430 | MEDIUM | 6.5 | OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time … | Apr 28, 2026 |
| CVE-2026-42429 | HIGH | 7.1 | OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers … | Apr 28, 2026 |
| CVE-2026-42428 | HIGH | 7.1 | OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the … | Apr 28, 2026 |
| CVE-2026-42427 | MEDIUM | 5.3 | OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject … | Apr 28, 2026 |
| CVE-2026-42426 | HIGH | 8.8 | OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to … | Apr 28, 2026 |
| CVE-2026-42424 | MEDIUM | 5.7 | OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting … | Apr 28, 2026 |
| CVE-2026-42423 | HIGH | 7.5 | OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback … | Apr 28, 2026 |
| CVE-2026-42422 | HIGH | 8.8 | OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing … | Apr 28, 2026 |
| CVE-2026-42421 | MEDIUM | 5.4 | OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections … | Apr 28, 2026 |
| CVE-2026-42420 | MEDIUM | 4.3 | OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to … | Apr 28, 2026 |
| CVE-2026-41916 | MEDIUM | 5.4 | OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated … | Apr 28, 2026 |
| CVE-2026-41915 | MEDIUM | 5.3 | OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR … | Apr 28, 2026 |
| CVE-2026-41914 | HIGH | 8.5 | OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch … | Apr 28, 2026 |
| CVE-2026-41913 | LOW | 3.7 | OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit … | Apr 28, 2026 |
| CVE-2026-41912 | HIGH | 7.6 | OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions … | Apr 28, 2026 |
| CVE-2026-41911 | MEDIUM | 6.5 | OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file … | Apr 28, 2026 |
| CVE-2026-41910 | MEDIUM | 4.3 | OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist … | Apr 28, 2026 |
| CVE-2026-41408 | MEDIUM | 4.3 | OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can … | Apr 28, 2026 |
| CVE-2026-41407 | LOW | 3.7 | OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers … | Apr 28, 2026 |
| CVE-2026-41406 | MEDIUM | 5.4 | OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread … | Apr 28, 2026 |
| CVE-2026-41405 | HIGH | 7.5 | OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious … | Apr 28, 2026 |
| CVE-2026-41404 | HIGH | 8.8 | OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation. Attackers can exploit this by declaring operator scopes … | Apr 28, 2026 |
| CVE-2026-41403 | LOW | 2.9 | OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access … | Apr 28, 2026 |
| CVE-2026-41402 | MEDIUM | 4.2 | OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the … | Apr 28, 2026 |