openclaw
npm359 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting openclawpage 4 of 8
- CVE-2026-35674HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.5.182026-05-29
OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external r…
- CVE-2026-3690HIGHCVSS 7.4EG 7.4✓ Fixed in 2026.2.192026-04-11
OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability. The specific fla…
- CVE-2026-40037MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.4.82026-04-08
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redir…
- CVE-2026-40045MEDIUMCVSS 5.7EG 5.7✓ Fixed in 2026.4.22026-04-21
OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malici…
- CVE-2026-41294HIGHCVSS 8.6EG 8.6✓ Fixed in 2026.3.282026-04-21
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override run…
- CVE-2026-41295HIGHCVSS 7.8EG 7.8✓ Fixed in 2026.4.22026-04-21
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a …
- CVE-2026-41296HIGHCVSS 8.2EG 8.2✓ Fixed in 2026.3.312026-04-21
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypa…
- CVE-2026-41297HIGHCVSS 7.6EG 7.6✓ Fixed in 2026.3.312026-04-21
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated redirects. The marketplace.ts modul…
- CVE-2026-41298MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.4.22026-04-21
OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by sending requests to this endpoint, bypass…
- CVE-2026-41299HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.3.282026-04-21
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket handshake rather than verified authorizatio…
- CVE-2026-41300MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.3.312026-04-21
OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having their discovered URL survive…
- CVE-2026-41301MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.312026-04-21
OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attack…
- CVE-2026-41302HIGHCVSS 7.6EG 7.6✓ Fixed in 2026.3.312026-04-21
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch() calls …
- CVE-2026-41303HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.3.282026-04-21
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord…
- CVE-2026-41329CRITICALCVSS 9.9EG 9.9✓ Fixed in 2026.3.312026-04-21
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to by…
- CVE-2026-41330MEDIUMCVSS 4.4EG 4.4✓ Fixed in 2026.3.312026-04-21
OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment…
- CVE-2026-41331MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.312026-04-21
OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enfo…
- CVE-2026-41332MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.282026-04-23
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS…
- CVE-2026-41333LOWCVSS 3.7EG 3.7✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authenticatio…
- CVE-2026-41334MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized images to cause denial of service throug…
- CVE-2026-41335MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Co…
- CVE-2026-41336HIGHCVSS 7.8EG 7.8✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted…
- CVE-2026-41337MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live cal…
- CVE-2026-41338MEDIUMCVSS 5.0EG 5.0✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir oper…
- CVE-2026-41339MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2026.4.22026-04-23
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host f…
- CVE-2026-41341MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this…
- CVE-2026-41342HIGHCVSS 7.3EG 7.3✓ Fixed in 2026.3.282026-04-23
OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to …
- CVE-2026-41343MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before …
- CVE-2026-41344MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.3.282026-04-23
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter t…
- CVE-2026-41346MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.312026-04-23
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to…
- CVE-2026-41347HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser…
- CVE-2026-41348MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions…
- CVE-2026-41351MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass …
- CVE-2026-41352HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on t…
- CVE-2026-41353HIGHCVSS 8.1EG 8.1✓ Fixed in 2026.3.222026-04-23
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection. Remote attac…
- CVE-2026-41354LOWCVSS 3.7EG 3.7✓ Fixed in 2026.4.22026-04-23
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to …
- CVE-2026-41355HIGHCVSS 7.3EG 7.3✓ Fixed in 2026.3.282026-04-23
OpenClaw before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary code on the host during gateway…
- CVE-2026-41356MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotat…
- CVE-2026-41357LOWCVSS 3.3EG 3.3✓ Fixed in 2026.3.312026-04-23
OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwa…
- CVE-2026-41358MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.4.22026-04-23
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sende…
- CVE-2026-41359HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.3.282026-04-23
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers wit…
- CVE-2026-41361HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.3.282026-04-23
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable IPv6 addresses to bypass SSRF protection…
- CVE-2026-41363MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.282026-04-28
OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during u…
- CVE-2026-41364HIGHCVSS 8.1EG 8.1✓ Fixed in 2026.3.312026-04-28
OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers can exploit this by uploading tar archives containing symlinks to escape the sa…
- CVE-2026-41365MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.3.312026-04-28
OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering r…
- CVE-2026-41369MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.3.312026-04-28
OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious…
- CVE-2026-41372MEDIUMCVSS 5.8EG 5.8✓ Fixed in 2026.4.22026-04-28
OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authentic…
- CVE-2026-41373MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2026.3.312026-04-28
OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGO_BUILD_RUSTC, and CMAKE_C_COMPILER via envir…
- CVE-2026-41374MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.3.312026-04-28
OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member authorization, allowing unauthenticated attackers to consume resources. Remote attackers can trigger audio preflight processing without membe…
- CVE-2026-41375MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.3.282026-04-28
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels. Attackers can bypass authentication re…
Check whether openclaw is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for openclaw CVEs against the assets you own.
Start Free Scan →