openclaw
npm353 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting openclawpage 2 of 8
- CVE-2026-32031MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2026.2.262026-03-19
OpenClaw versions prior to 2026.2.26 server-http contains an authentication bypass vulnerability in gateway authentication for plugin channel endpoints due to path canonicalization mismatch between the gateway guard and plugin handler rout…
- CVE-2026-32033MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.242026-03-19
OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-pr…
- CVE-2026-32034HIGHCVSS 8.1EG 8.1✓ Fixed in 2026.2.212026-03-19
OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity…
- CVE-2026-32035MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2026.3.22026-03-19
OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-…
- CVE-2026-32037MEDIUMCVSS 6.0EG 6.0✓ Fixed in 2026.2.222026-03-19
OpenClaw versions prior to 2026.2.22 fail to consistently validate redirect chains against configured mediaAllowHosts allowlists during MSTeams media downloads. Attackers can supply or influence attachment URLs to force redirects to non-al…
- CVE-2026-32038CRITICALCVSS 9.8EG 9.8✓ Fixed in 2026.2.242026-03-19
OpenClaw before 2026.2.24 contains a sandbox network isolation bypass vulnerability that allows trusted operators to join another container's network namespace. Attackers can configure the docker.network parameter with container:<id> value…
- CVE-2026-32043MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.252026-03-21
OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a sy…
- CVE-2026-32044MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2026.3.22026-03-21
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass spe…
- CVE-2026-32045MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2026.2.212026-03-21
OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to…
- CVE-2026-32046MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.2.212026-03-21
OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leve…
- CVE-2026-32052MEDIUMCVSS 6.4EG 6.4✓ Fixed in 2026.2.242026-03-21
OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers ca…
- CVE-2026-32053MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.232026-03-21
OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio web…
- CVE-2026-32054MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.2.252026-03-21
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can crea…
- CVE-2026-32055HIGHCVSS 7.6EG 7.6✓ Fixed in 2026.2.262026-03-21
OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to non-existent out-of-root targ…
- CVE-2026-32056HIGHCVSS 7.5EG 7.5✓ Fixed in 2026.2.222026-03-21
OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startu…
- CVE-2026-32057HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.2.252026-03-21
OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role…
- CVE-2026-32061MEDIUMCVSS 4.4EG 4.4✓ Fixed in 2026.2.172026-03-11
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabiliti…
- CVE-2026-32062HIGHCVSS 7.5EG 7.5✓ Fixed in 2026.2.222026-03-11
OpenClaw versions 2026.2.21-2 up to, but not including, 2026.2.22, and @openclaw/voice-call versions 2026.2.21 up to, but not including, 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated cl…
- CVE-2026-32065MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2026.2.252026-03-21
OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An at…
- CVE-2026-32067LOWCVSS 3.7EG 3.7✓ Fixed in 2026.2.262026-03-21
OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker…
- CVE-2026-32846HIGHCVSS 8.7EG 8.7✓ Fixed in 2026.03.282026-03-26
OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit in…
- CVE-2026-32896MEDIUMCVSS 4.8EG 4.8✓ Fixed in 2026.2.212026-03-21
The BlueBubbles webhook handler in OpenClaw versions prior to 2026.2.21 contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can…
- CVE-2026-32897LOWCVSS 3.7EG 3.7✓ Fixed in 2026.2.222026-03-21
OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication…
- CVE-2026-32898MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.2.232026-03-21
OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive a…
- CVE-2026-32905HIGHCVSS 8.3EG 8.3✓ Fixed in 2026.5.42026-05-29
OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with…
- CVE-2026-32906MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2026.5.122026-05-29
OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permission…
- CVE-2026-32913CRITICALCVSS 9.3EG 9.3✓ Fixed in 2026.3.72026-03-23
OpenClaw before 2026.3.7 contains an improper header validation vulnerability in fetchWithSsrFGuard that forwards custom authorization headers across cross-origin redirects. Attackers can trigger redirects to different origins to intercept…
- CVE-2026-32916CRITICALCVSS 9.4EG 9.4✓ Fixed in 2026.3.112026-03-31
OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated req…
- CVE-2026-32920HIGHCVSS 8.4EG 8.4✓ Fixed in 2026.3.122026-03-31
OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plug…
- CVE-2026-32921MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2026.3.82026-03-31
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved scri…
- CVE-2026-32970LOWCVSS 2.5EG 2.5✓ Fixed in 2026.3.112026-03-31
OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers c…
- CVE-2026-32971HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.3.112026-03-31
OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped co…
- CVE-2026-32977MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2026.3.112026-03-31
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use r…
- CVE-2026-32988HIGHCVSS 7.5EG 7.5✓ Fixed in 2026.3.112026-03-31
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in par…
- CVE-2026-33572HIGHCVSS 8.4EG 8.4✓ Fixed in 2026.2.172026-03-29
OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive informatio…
- CVE-2026-33579CRITICALCVSS 9.9EG 9.9✓ Fixed in 2026.3.282026-03-31
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can a…
- CVE-2026-34425MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.4.22026-04-02
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails t…
- CVE-2026-34426HIGHCVSS 7.6EG 7.6✓ Fixed in 2026.3.222026-04-02
OpenClaw versions prior to commit b57b680 contain an approval bypass vulnerability due to inconsistent environment variable normalization between approval and execution paths, allowing attackers to inject attacker-controlled environment v…
- CVE-2026-34503HIGHCVSS 8.1EG 8.1✓ Fixed in 2026.3.282026-03-31
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconne…
- CVE-2026-34504HIGHCVSS 8.3EG 8.3✓ Fixed in 2026.3.282026-03-31
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguar…
- CVE-2026-34505MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.3.122026-03-31
OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secr…
- CVE-2026-34507MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.4.292026-05-29
OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or context…
- CVE-2026-34510MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.4.22026-04-01
OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file tar…
- CVE-2026-34511MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.4.22026-04-03
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier,…
- CVE-2026-35617MEDIUMCVSS 4.2EG 4.2✓ Fixed in 2026.3.282026-04-09
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names t…
- CVE-2026-35618MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.3.232026-04-09
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full …
- CVE-2026-35619MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2026.3.242026-04-10
OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metad…
- CVE-2026-35620MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.3.242026-04-10
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings…
- CVE-2026-35621MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.3.242026-04-10
OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization po…
- CVE-2026-35622MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2026.3.222026-04-09
OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authenticati…
Check whether openclaw is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for openclaw CVEs against the assets you own.
Start Free Scan →