Openclaw

A remote, authenticated attacker can exploit multiple vulnerabilities in OpenClaw to bypass security mechanisms, gain elevated privileges, disclose information, manipulate configurations, execute arbitrary commands or code, and attack internal systems via SSRF.

OpenClaw before 2026.4.23 contains an improper access control vulnerability (CVE-2026-45006) in the gateway tool's config.apply and config.patch operations, allowing compromised models to write unsafe configuration changes and persist malicious config modifications by bypassing an incomplete denylist.

OpenClaw before version 2026.4.23 is vulnerable to arbitrary code execution (CVE-2026-45004) due to insecurely loading the setup-api.js file from the current working directory, allowing attackers to execute arbitrary JavaScript under the current user account.

OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoints, allowing a prompt-injected model with access to the owner-only gateway tool to persist unauthorized changes to protected operator settings.

OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability (CVE-2026-44995) in MCP stdio server configuration, allowing attackers to execute arbitrary code via malicious workspace configurations that pass dangerous startup variables.

OpenClaw before 2026.4.22 is vulnerable to server-side request forgery (SSRF) due to improper validation of outbound photo URLs in the Zalo plugin's sendPhoto function, allowing attackers to potentially access internal resources by providing malicious photo URLs to the Zalo Bot API.

OpenClaw before 2026.4.20 is vulnerable to improper environment variable namespace reservation, allowing attackers to override critical runtime variables via workspace dotenv files.

OpenClaw before 2026.4.22 is vulnerable to shell expansion in unquoted heredoc bodies, allowing attackers to bypass exec allowlist validation and execute unauthorized commands.

OpenClaw before 2026.4.10 is vulnerable to an insufficient environment variable denylist, allowing attackers to manipulate interpreter startup variables to influence execution behavior or network connectivity.

OpenClaw before version 2026.4.10 contains an incomplete navigation guard vulnerability, allowing attackers to trigger navigation without proper SSRF policy enforcement by bypassing post-action security checks via browser interactions like pressKey and type submit flows, potentially leading to unauthorized Server-Side Request Forgery (SSRF).

A vulnerability in OpenClaw versions before 2026.4.23 allows a compromised model with access to the `gateway` tool to persist unsafe config changes that cross security boundaries due to an insufficient denylist.

OpenClaw before 2026.4.10 is vulnerable to a plugin trust bypass, allowing attackers to craft malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.

OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution, allowing attackers to obscure which applet would run, bypass exec approval mechanisms, and weaken risk classification of unsafe applet invocations.

OpenClaw before version 2026.4.10 contains an input validation vulnerability (CVE-2026-43534) allowing external hook metadata to be enqueued as trusted system events, enabling attackers to escalate privileges.

OpenClaw before version 2026.4.9 is vulnerable to environment variable injection, allowing attackers to use malicious workspace .env files to set runtime-control variables and compromise application behavior affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths.

OpenClaw before 2026.4.10 is vulnerable to an arbitrary file read via specially crafted QQBot media tags, allowing attackers to disclose local files through outbound media handling.

OpenClaw versions prior to 2026.4.10 are vulnerable to a sender policy bypass, allowing attackers with restricted read access to disclose local files by triggering host-media attachment loading, bypassing authorization boundaries.

OpenClaw versions before 2026.4.12 are vulnerable to environment variable injection, allowing attackers to bypass shell wrapper detection and manipulate execution semantics by modifying shell variables.

OpenClaw before 2026.3.28 is vulnerable to webhook replay attacks due to improper signature verification, allowing attackers to reorder query parameters and trigger duplicate voice-call processing.

OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that allows attackers to bypass strictInlineEval explicit-approval requirements on gateway and node exec hosts, leading to arbitrary command execution.

OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows attackers to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function, allowing attackers to mint tokens for unapproved roles and bypass intended approval processes.

OpenClaw before 2026.4.8 is vulnerable to server-side request forgery (SSRF) in QQ Bot media download paths, allowing attackers to bypass SSRF protections and access internal resources.

OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation by declaring operator scopes on non-Control-UI clients.

OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives, allowing attackers to install malicious plugins and compromise the local assistant environment.

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to exhaust server resources by sending malicious Teams webhook payloads.

OpenClaw before 2026.3.22 is vulnerable to incomplete host environment variable sanitization, allowing attackers to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.

OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows attackers to bypass intended execution restrictions by exploiting trust relationships with wrapper carrier executables, leading to privilege escalation and defense evasion.

OpenClaw before 2026.3.24 is vulnerable to environment variable injection, allowing attackers to inject malicious environment variables through crafted workspace configurations in the CLI backend, leading to potential code execution or sensitive data exposure.

OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability that allows previously paired nodes to reconnect and execute privileged commands without proper authorization, potentially leading to complete system compromise.

OpenClaw before 2026.4.8 contains an improper authorization vulnerability (CVE-2026-42426) allowing attackers with `operator.write` permissions to bypass node pairing approval and gain unauthorized access to `exec`-capable nodes by exploiting the `node.pair.approve` method which incorrectly accepts the `operator.write` scope instead of the narrower `operator.pairing` scope.

OpenClaw before 2026.3.28 is vulnerable to a denial-of-service attack by accepting unbounded concurrent unauthenticated WebSocket upgrades, allowing attackers to exhaust server resources.

OpenClaw before version 2026.3.28 contains an exec allowlist bypass vulnerability (CVE-2026-41390) that allows attackers to persist trust for wrapper binaries like /usr/bin/script to execute different underlying programs, potentially leading to privilege escalation.

OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files by uploading a malicious tar archive containing symlinks, leading to arbitrary file write on the remote host.

OpenClaw before 2026.3.31 is vulnerable to remote code execution (CVE-2026-41352) because a device-paired node can bypass the node scope gate authentication mechanism, allowing attackers with device pairing credentials to execute arbitrary node commands.

OpenClaw before 2026.3.31 is vulnerable to cross-site request forgery (CSRF) attacks due to missing browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing attackers to perform unauthorized actions.

OpenClaw before 2026.3.31 allows attackers to execute arbitrary code by overriding the OPENCLAW_BUNDLED_HOOKS_DIR environment variable using a workspace .env file, enabling the loading of attacker-controlled hook code.

A vulnerability in OpenClaw versions 2026.4.21 and earlier allows a non-owner loopback client to spoof the owner context by manipulating request headers, potentially gaining unauthorized access to owner-gated operations.

OpenClaw before 2026.3.31 allows attackers with control over workspace configuration to inject malicious plugins by overriding the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable through workspace .env files, compromising plugin trust verification.