Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
13161
Total
872
Critical
3825
High
4173
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-35636 | MEDIUM | 6.5 | OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child … | Apr 09, 2026 |
| CVE-2026-35635 | MEDIUM | 4.8 | OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook … | Apr 09, 2026 |
| CVE-2026-35634 | MEDIUM | 5.1 | OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. … | Apr 09, 2026 |
| CVE-2026-35633 | MEDIUM | 5.3 | OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can … | Apr 09, 2026 |
| CVE-2026-35632 | HIGH | 7.1 | OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers with workspace … | Apr 09, 2026 |
| CVE-2026-35631 | MEDIUM | 6.5 | OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane … | Apr 09, 2026 |
| CVE-2026-35629 | HIGH | 7.4 | OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers … | Apr 09, 2026 |
| CVE-2026-35628 | MEDIUM | 4.8 | OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated … | Apr 09, 2026 |
| CVE-2026-35627 | MEDIUM | 6.5 | OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication … | Apr 09, 2026 |
| CVE-2026-35626 | MEDIUM | 5.3 | OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send … | Apr 09, 2026 |
| CVE-2026-35625 | HIGH | 7.8 | OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve scope-upgrade requests, widening paired device permissions from operator.read to operator.admin. Attackers … | Apr 09, 2026 |
| CVE-2026-35624 | MEDIUM | 4.2 | OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly … | Apr 09, 2026 |
| CVE-2026-35623 | MEDIUM | 4.8 | OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can … | Apr 09, 2026 |
| CVE-2026-35622 | MEDIUM | 5.9 | OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can … | Apr 09, 2026 |
| CVE-2026-35618 | MEDIUM | 6.5 | OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The … | Apr 09, 2026 |
| CVE-2026-35617 | MEDIUM | 4.2 | OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group … | Apr 09, 2026 |
| CVE-2026-34512 | HIGH | 8.1 | OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions … | Apr 09, 2026 |
| CVE-2026-33797 | HIGH | 7.4 | An Improper Input Validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker, sending a specific genuine BGP packet … | Apr 09, 2026 |
| CVE-2026-33793 | HIGH | 7.8 | An Execution with Unnecessary Privileges vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker … | Apr 09, 2026 |
| CVE-2026-33791 | MEDIUM | 6.7 | An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, … | Apr 09, 2026 |
| CVE-2026-33790 | HIGH | 7.5 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker … | Apr 09, 2026 |
| CVE-2026-33788 | HIGH | 7.8 | A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, … | Apr 09, 2026 |
| CVE-2026-33787 | MEDIUM | 5.5 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1500, SRX4100, SRX4200 and … | Apr 09, 2026 |
| CVE-2026-33786 | MEDIUM | 5.5 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1600, SRX2300 and SRX4300 … | Apr 09, 2026 |
| CVE-2026-33785 | HIGH | 8.8 | A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute … | Apr 09, 2026 |