openclaw
npm353 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting openclawpage 1 of 8
- CVE-2026-22168MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.212026-03-18
OpenClaw versions prior to 2026.2.21 contain an approval-integrity mismatch vulnerability in system.run that allows authenticated operators to execute arbitrary trailing arguments after cmd.exe /c while approval text reflects only a benign…
- CVE-2026-22169MEDIUMCVSS 6.7EG 6.7✓ Fixed in 2026.2.222026-03-18
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safeBins configuration that allows attackers to invoke external helpers through the compress-program option. When sort is explicitly added to tools.exec.…
- CVE-2026-22171HIGHCVSS 8.2EG 8.2✓ Fixed in 2026.2.192026-03-18
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the Feishu media download flow where untrusted media keys are interpolated directly into temporary file paths in extensions/feishu/src/media.ts. An attacker who…
- CVE-2026-22175HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.2.232026-03-18
OpenClaw versions prior to 2026.2.23 contain an exec approval bypass vulnerability in allowlist mode where allow-always grants could be circumvented through unrecognized multiplexer shell wrappers like busybox and toybox sh -c commands. At…
- CVE-2026-22176MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2026.2.192026-03-19
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled Task script generation where environment variables are written to gateway.cmd using unquoted set KEY=VALUE assignments, allowing shell meta…
- CVE-2026-22177MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2026.2.212026-03-18
OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration …
- CVE-2026-22178MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.192026-03-18
OpenClaw versions prior to 2026.2.19 construct RegExp objects directly from unescaped Feishu mention metadata in the stripBotMention function, allowing regex injection and denial of service. Attackers can craft nested-quantifier patterns o…
- CVE-2026-22179HIGHCVSS 7.2EG 7.2✓ Fixed in 2026.2.222026-03-18
OpenClaw versions prior to 2026.2.22 in macOS node-host system.run contain an allowlist bypass vulnerability that allows remote attackers to execute non-allowlisted commands by exploiting improper parsing of command substitution tokens. At…
- CVE-2026-22180MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.22026-03-18
OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerability in browser output handling that allows writes outside intended root directories. Attackers can exploit insufficient canonical path-boundary validation in f…
- CVE-2026-22181HIGHCVSS 7.6EG 7.6✓ Fixed in 2026.3.22026-03-18
OpenClaw versions prior to 2026.3.2 contain a DNS pinning bypass vulnerability in strict URL fetch paths that allows attackers to circumvent SSRF guards when environment proxy variables are configured. When HTTP_PROXY, HTTPS_PROXY, or ALL_…
- CVE-2026-22217MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2026.2.232026-03-18
OpenClaw version 2026.2.22 prior to 2026.2.23 contains an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable…
- CVE-2026-25475MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.1.302026-02-04
OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can …
- CVE-2026-25593HIGHCVSS 8.4EG 8.4✓ Fixed in 2026.1.202026-02-06
OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enablin…
- CVE-2026-27522MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.242026-03-18
OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host…
- CVE-2026-27523MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2026.2.242026-03-18
OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind …
- CVE-2026-27524MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2026.2.212026-03-18
OpenClaw versions prior to 2026.2.21 accept prototype-reserved keys in runtime /debug set override object values, allowing prototype pollution attacks. Authorized /debug set callers can inject __proto__, constructor, or prototype keys to m…
- CVE-2026-27545MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2026.2.262026-03-18
OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current worki…
- CVE-2026-27566HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.2.222026-03-19
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails to unwrap env and shell-dispatch wrapper chains. Attackers can route execution through wrapper binaries like env bash to …
- CVE-2026-27670MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.22026-03-19
OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race betw…
- CVE-2026-28395MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.122026-03-05
OpenClaw version 2026.1.14-1 prior to 2026.2.12 contains an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HT…
- CVE-2026-28449MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.252026-03-19
OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid signed webhook requests to be replayed without suppression. Attackers can capture and replay previously valid signed webhook r…
- CVE-2026-28460HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.2.222026-03-19
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to execute non-allowlisted commands by splitting command substitution using shell line-continuation characters. Attackers ca…
- CVE-2026-28463HIGHCVSS 8.4EG 8.4✓ Fixed in 2026.2.142026-03-05
OpenClaw versions prior to 2026.2.14 contain an arbitrary file read vulnerability in the exec-approvals allowlist validation that checks pre-expansion argv tokens but executes using real shell expansion. Attackers with authorization or thr…
- CVE-2026-28476HIGHCVSS 8.3EG 8.3✓ Fixed in 2026.2.142026-03-05
OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the optional Tlon Urbit extension that accepts user-provided base URLs for authentication without proper validation. Attackers who can influence th…
- CVE-2026-28481MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.12026-03-05
OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domain…
- CVE-2026-29607MEDIUMCVSS 6.8EG 6.8✓ Fixed in 2026.2.222026-03-19
OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in allow-always wrapper persistence that allows attackers to bypass approval checks by persisting wrapper-level allowlist entries instead of validating inne…
- CVE-2026-29608MEDIUMCVSS 6.7EG 6.7✓ Fixed in 2026.3.22026-03-19
vulnerable: 2026.3.1
OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting changes command semantics. Attackers can place malicious local scripts in the working directory to execute unintended cod…
- CVE-2026-29611HIGHCVSS 7.5EG 7.5✓ Fixed in 2026.2.142026-03-05
OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sen…
- CVE-2026-31989HIGHCVSS 7.4EG 7.4✓ Fixed in 2026.3.12026-03-19
OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in web_search citation redirect resolution that uses a private-network-allowing SSRF policy. An attacker who can influence citation redirect targets ca…
- CVE-2026-31990MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2026.3.22026-03-19
OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attack…
- CVE-2026-31994HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.2.192026-03-19
OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local at…
- CVE-2026-31995MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.2.192026-03-19
OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's Windows shell fallback mechanism that allows attackers to inject arbitrary commands through tool-provided arguments. When s…
- CVE-2026-31996MEDIUMCVSS 4.4EG 4.4✓ Fixed in 2026.2.192026-03-19
OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allows attackers to execute unintended filesystem operations through sort output flags or recursive grep flags. Attackers with …
- CVE-2026-31997MEDIUMCVSS 6.0EG 6.0✓ Fixed in 2026.3.12026-03-19
OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv[0] tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute …
- CVE-2026-31999MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2026.3.12026-03-19
OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability in wrapper resolution for .cmd/.bat files that allows attackers to influence execution behavior through cwd manipulation. …
- CVE-2026-32000HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.2.192026-03-19
OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool execution that uses Windows shell fallback with shell: true after spawn failures. Attackers can inject shell metacharacters in com…
- CVE-2026-32003MEDIUMCVSS 6.6EG 6.6✓ Fixed in 2026.2.222026-03-19
OpenClaw versions prior to 2026.2.22 contain an environment variable injection vulnerability in the system.run function that allows attackers to bypass command allowlist restrictions via SHELLOPTS and PS4 environment variables. An attacker…
- CVE-2026-32004MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.3.22026-03-19
OpenClaw versions prior to 2026.3.2 contain an authentication bypass vulnerability in the /api/channels route classification due to canonicalization depth mismatch between auth-path classification and route-path canonicalization. Attackers…
- CVE-2026-32007MEDIUMCVSS 6.8EG 6.8✓ Fixed in 2026.2.232026-03-19
OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental apply_patch tool that allows attackers with sandbox access to modify files outside the workspace directory by exploiting inconsistent enforceme…
- CVE-2026-32008MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.212026-03-19
OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the assertBrowserNavigationAllowed() function that allows authenticated users with browser-tool access to navigate to file:// URLs. Attackers c…
- CVE-2026-32010MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2026.2.222026-03-19
OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in the safe-bin configuration when sort is manually added to tools.exec.safeBins. Attackers can invoke sort with the --compress-program flag to execute arbitrar…
- CVE-2026-32013HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.2.252026-03-19
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlis…
- CVE-2026-32014HIGHCVSS 8.0EG 8.0✓ Fixed in 2026.2.262026-03-19
OpenClaw versions prior to 2026.2.26 contain a metadata spoofing vulnerability where reconnect platform and deviceFamily fields are accepted from the client without being bound into the device-auth signature. An attacker with a paired node…
- CVE-2026-32018LOWCVSS 3.6EG 3.6✓ Fixed in 2026.2.192026-03-19
OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers. Attackers can exploit unsynchronized read-modify-write operati…
- CVE-2026-32019HIGHCVSS 7.4EG 7.4✓ Fixed in 2026.2.222026-03-19
OpenClaw versions prior to 2026.2.22 contain incomplete IPv4 special-use range validation in the isPrivateIpv4() function, allowing requests to RFC-reserved ranges to bypass SSRF policy checks. Attackers with network reachability to specia…
- CVE-2026-32020LOWCVSS 3.3EG 3.3✓ Fixed in 2026.2.222026-03-19
OpenClaw versions prior to 2026.2.22 contain a path traversal vulnerability in the static file handler that follows symbolic links, allowing out-of-root file reads. Attackers can place symlinks under the Control UI root directory to bypass…
- CVE-2026-32022MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.212026-03-19
OpenClaw versions prior to 2026.2.21 contain a stdin-only policy bypass vulnerability in the grep tool within tools.exec.safeBins that allows attackers to read arbitrary files by supplying a pattern via the -e flag parameter. Attackers can…
- CVE-2026-32024MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2026.2.222026-03-19
OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avat…
- CVE-2026-32026MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.242026-03-19
OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox media handling that allows absolute paths under the host temporary directory outside the active sandbox root. Attackers can exploit this by p…
- CVE-2026-32030HIGHCVSS 7.5EG 7.5✓ Fixed in 2026.2.192026-03-19
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attach…
Check whether openclaw is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for openclaw CVEs against the assets you own.
Start Free Scan →