openclaw
npm360 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting openclawpage 7 of 8
- CVE-2026-45002MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.4.202026-05-11
OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated h…
- CVE-2026-45003MEDIUMCVSS 5.0EG 5.0✓ Fixed in 2026.4.222026-05-11
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setti…
- CVE-2026-45004HIGHCVSS 7.8EG 7.8✓ Fixed in 2026.4.232026-05-11
OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScr…
- CVE-2026-45005MEDIUMCVSS 6.0EG 6.0✓ Fixed in 2026.4.232026-05-11
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating…
- CVE-2026-45006HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.4.232026-05-11
OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write unsafe configuration changes by bypassing an incomplete deny…
- CVE-2026-53806HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.5.122026-06-11
OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by using combined shell options to execute inline shell content w…
- CVE-2026-53807HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.5.62026-06-11
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as …
- CVE-2026-53808MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.5.62026-06-11
OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reachin…
- CVE-2026-53810HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.5.182026-06-11
OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata…
- CVE-2026-53811HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.5.72026-06-11
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change d…
- CVE-2026-53812HIGHCVSS 7.7EG 7.7✓ Fixed in 2026.5.182026-06-11
OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger naviga…
- CVE-2026-53813HIGHCVSS 7.8EG 7.8✓ Fixed in 2026.4.252026-06-11
OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected workspaces can load memory-core artifacts f…
- CVE-2026-53814HIGHCVSS 8.3EG 8.3✓ Fixed in 2026.5.202026-06-11
OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploi…
- CVE-2026-53815MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.5.192026-06-11
OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient v…
- CVE-2026-53816HIGHCVSS 7.2EG 7.2✓ Fixed in 2026.5.182026-06-11
OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node …
- CVE-2026-53817HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.5.222026-06-11
OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insu…
- CVE-2026-53819HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.5.272026-06-11
OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute…
- CVE-2026-53820MEDIUMCVSS 6.6EG 6.6✓ Fixed in 2026.5.122026-06-12
OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP …
- CVE-2026-53821HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.5.182026-06-12
OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operat…
- CVE-2026-53823HIGHCVSS 8.1EG 8.1✓ Fixed in 2026.5.32026-06-12
OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potent…
- CVE-2026-53824MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.4.242026-06-12
OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stale token acceptance to invoke slash comm…
- CVE-2026-53825MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.5.122026-06-12
OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers w…
- CVE-2026-53826MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2026.4.262026-06-12
OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to…
- CVE-2026-53827MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.5.22026-06-12
OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attacke…
- CVE-2026-53828HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.5.62026-06-12
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in native command handling that allows authenticated senders to execute owner-only commands without proper policy enforcement. Attackers can trigger native command han…
- CVE-2026-53829HIGHCVSS 8.0EG 8.0✓ Fixed in 2026.5.182026-06-12
OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes …
- CVE-2026-53831HIGHCVSS 8.1EG 8.3✓ Fixed in 2026.5.182026-06-12
OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expansion to modify command interpretation on POSIX nodes. Authenticated operators can exploit shell metach…
- CVE-2026-53832HIGHCVSS 7.1EG 7.7✓ Fixed in 2026.5.182026-06-12
OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity head…
- CVE-2026-53834MEDIUMCVSS 6.5EG 7.5✓ Fixed in 2026.4.272026-06-12
OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access c…
- CVE-2026-53837MEDIUMCVSS 5.3EG 3.7✓ Fixed in 2026.5.62026-06-12
OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events mi…
- CVE-2026-53838CRITICALCVSS 9.8EG 9.8✓ Fixed in 2026.5.272026-06-12
OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node author…
- CVE-2026-53839MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.5.72026-06-12
OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted…
- CVE-2026-53840HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.5.122026-06-16
OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint…
- CVE-2026-53841MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2026.5.122026-06-16
OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens…
- CVE-2026-53842HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.5.22026-06-16
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository ac…
- CVE-2026-53843HIGHCVSS 8.8EG 8.8✓ Fixed in 2026.5.262026-06-16
OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level…
- CVE-2026-53844MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.4.292026-06-16
OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guard…
- CVE-2026-53845MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2026.5.62026-06-16
OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable d…
- CVE-2026-53846HIGHCVSS 7.1EG 7.1✓ Fixed in 2026.4.292026-06-16
OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace …
- CVE-2026-53847MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.5.62026-06-16
OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. At…
- CVE-2026-53848MEDIUMCVSS 4.3EG 4.3✓ Fixed in 2026.5.262026-06-16
OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist…
- CVE-2026-53849HIGHCVSS 8.1EG 8.1✓ Fixed in 2026.5.72026-06-16
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can…
- CVE-2026-53850MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2026.4.252026-06-16
OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command …
- CVE-2026-53851MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2026.5.122026-06-16
OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reactio…
- CVE-2026-53852MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2026.4.252026-06-16
OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can explo…
- CVE-2026-53853HIGHCVSS 8.3EG 8.3✓ Fixed in 2026.5.122026-06-16
OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured ar…
- CVE-2026-53854MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2026.4.252026-06-16
OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by se…
- CVE-2026-53855HIGHCVSS 8.1EG 8.1✓ Fixed in 2026.4.22026-06-16
OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional argumen…
- CVE-2026-53856MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2026.4.242026-06-16
vulnerable: 2026.4.23
OpenClaw 2026.4.23 before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by …
- CVE-2026-53857HIGHCVSS 8.1EG 8.1✓ Fixed in 2026.5.32026-06-16
OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive ag…
Check whether openclaw is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for openclaw CVEs against the assets you own.
Start Free Scan →