OpenClaw

OpenClaw before 2026.3.28 is vulnerable to webhook replay attacks due to improper signature verification, allowing attackers to reorder query parameters and trigger duplicate voice-call processing.

OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that allows attackers to bypass strictInlineEval explicit-approval requirements on gateway and node exec hosts, leading to arbitrary command execution.

OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows attackers to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.

OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function, allowing attackers to mint tokens for unapproved roles and bypass intended approval processes.

OpenClaw before 2026.4.8 is vulnerable to server-side request forgery (SSRF) in QQ Bot media download paths, allowing attackers to bypass SSRF protections and access internal resources.

OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation by declaring operator scopes on non-Control-UI clients.

OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives, allowing attackers to install malicious plugins and compromise the local assistant environment.

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to exhaust server resources by sending malicious Teams webhook payloads.

OpenClaw before 2026.3.22 is vulnerable to incomplete host environment variable sanitization, allowing attackers to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.

OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows attackers to bypass intended execution restrictions by exploiting trust relationships with wrapper carrier executables, leading to privilege escalation and defense evasion.

OpenClaw before 2026.3.24 is vulnerable to environment variable injection, allowing attackers to inject malicious environment variables through crafted workspace configurations in the CLI backend, leading to potential code execution or sensitive data exposure.

OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability that allows previously paired nodes to reconnect and execute privileged commands without proper authorization, potentially leading to complete system compromise.

OpenClaw before 2026.4.8 contains an improper authorization vulnerability (CVE-2026-42426) allowing attackers with `operator.write` permissions to bypass node pairing approval and gain unauthorized access to `exec`-capable nodes by exploiting the `node.pair.approve` method which incorrectly accepts the `operator.write` scope instead of the narrower `operator.pairing` scope.

OpenClaw before 2026.3.28 is vulnerable to a denial-of-service attack by accepting unbounded concurrent unauthenticated WebSocket upgrades, allowing attackers to exhaust server resources.

OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files by uploading a malicious tar archive containing symlinks, leading to arbitrary file write on the remote host.

OpenClaw before 2026.3.31 is vulnerable to remote code execution (CVE-2026-41352) because a device-paired node can bypass the node scope gate authentication mechanism, allowing attackers with device pairing credentials to execute arbitrary node commands.

OpenClaw before 2026.3.31 is vulnerable to cross-site request forgery (CSRF) attacks due to missing browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing attackers to perform unauthorized actions.

OpenClaw before 2026.3.31 allows attackers to execute arbitrary code by overriding the OPENCLAW_BUNDLED_HOOKS_DIR environment variable using a workspace .env file, enabling the loading of attacker-controlled hook code.