Vulnerabilities in OpenClaw
537 resultsCVE-2026-28448MEDIUMOpenClaw 2026.1.29 < 2026.2.1 - Authorization Bypass in Twitch Plugin allowFrom Access ControlEPSS 0.4%CVE-2026-41378HIGHOpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted node.event Agent DispatchEPSS 0.4%CVE-2026-35620MEDIUMOpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat CommandsEPSS 0.4%CVE-2026-32042HIGHOpenClaw < 2026.2.25 - Privilege Escalation via Unpaired Device Identity in Shared Gateway AuthenticationEPSS 0.4%CVE-2026-28460MEDIUMOpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.runEPSS 0.4%CVE-2026-28393HIGHOpenClaw 2.0.0-beta3 < 2026.2.14 - Arbitrary JavaScript Module Loading via Hook Transform Path TraversalEPSS 0.4%CVE-2026-28478HIGHOpenClaw < 2026.2.13 - Denial of Service via Unbounded Webhook Request Body BufferingEPSS 0.4%CVE-2026-35640MEDIUMOpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request ParsingEPSS 0.4%CVE-2026-32036HIGHOpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channelsEPSS 0.4%CVE-2026-29607HIGHOpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper PersistenceEPSS 0.4%CVE-2026-26320HIGHOpenClaw macOS deep link confirmation truncation can conceal executed agent messageEPSS 0.4%CVE-2026-32062HIGHOpenClaw 2026.2.21-2 < 2026.2.22 - Unauthenticated WebSocket Resource Exhaustion via Media StreamEPSS 0.4%CVE-2026-29609HIGHOpenClaw < 2026.2.14 - Denial of Service via Unbounded URL-backed Media FetchEPSS 0.4%CVE-2026-28462HIGHOpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output PathsEPSS 0.4%CVE-2026-43566CRITICALOpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake EventsEPSS 0.4%CVE-2026-35652MEDIUMOpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback DispatchEPSS 0.4%CVE-2026-28466CRITICALOpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval BypassEPSS 0.4%CVE-2026-27566HIGHOpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.runEPSS 0.4%CVE-2026-53810HIGHOpenClaw < 2026.5.18 - Arbitrary Code Execution via Unscanned Marketplace Runtime Extension MetadataEPSS 0.4%CVE-2026-53806HIGHOpenClaw < 2026.5.12 - Shell Option Parsing Bypass in Exec RevalidationEPSS 0.4%