HIGH 7.7 npm
GHSA-25gx-x37c-7pph · CVE-2026-32064 OpenClaw's andbox browser noVNC observer lacked VNC authentication
Modified: 3/30/2026
package
npm / openclaw
pkg:npm/openclaw
MEDIUM 4.3 npm
GHSA-25pw-4h6w-qwvm · CVE-2026-32006 OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
Modified: 3/30/2026
LOW 3.7 npm
GHSA-25wv-8phj-8p7r · CVE-2026-41913 OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret rate-limit budget on Tailscale-capable paths
Modified: 5/6/2026
HIGH 8.2 npm
GHSA-2767-2q9v-9326 · CVE-2026-43526 OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes
Modified: 5/8/2026
HIGH 7.5 npm
GHSA-27cr-4p5m-74rj · CVE-2026-32033 OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths
Modified: 3/25/2026
MEDIUM 5.5 npm
GHSA-2858-xg23-26fp OpenClaw: Node camera URL payload host-binding bypass allowed gateway fetch pivots
Modified: 3/4/2026
HIGH npm
GHSA-2ch6-x3g4-7759 OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From
Modified: 3/4/2026
HIGH 8.8 npm
GHSA-2cq5-mf3v-mx44 · CVE-2026-43530 OpenClaw: busybox and toybox applet execution weakened exec approval binding
Modified: 5/8/2026
MEDIUM 4.3 npm
GHSA-2f7j-rp58-mr42 · CVE-2026-41339 OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients
Modified: 5/6/2026
MEDIUM 6.6 npm
GHSA-2fgq-7j6h-9rm4 · CVE-2026-32003 OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)
Modified: 3/30/2026
HIGH 8.6 npm
GHSA-2hh7-c75g-qj2r · CVE-2026-44116 OpenClaw validates Zalo outbound photo URLs through the SSRF guard
Modified: 5/12/2026
MEDIUM npm
GHSA-2hm8-rqrm-xfjq OpenClaw's owner-only gateway tool access checks were incomplete in specific authenticated DM flows
Modified: 3/4/2026
MEDIUM npm
GHSA-2mc2-g238-722j OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)
Modified: 3/4/2026
HIGH 7.5 npm
GHSA-2pr2-hcv6-7gwv · CVE-2026-34503 OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Modified: 4/6/2026
HIGH npm
GHSA-2qj5-gwg2-xwc4 · CVE-2026-27001 OpenClaw: Unsanitized CWD path injection into LLM prompts
Modified: 2/20/2026
MEDIUM npm
GHSA-2qrv-rc5x-2g2h · CVE-2026-41295 OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup
Modified: 4/20/2026
MEDIUM 5.3 npm
GHSA-2rgf-hm63-5qph · CVE-2026-32029 OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
Modified: 3/25/2026
HIGH 8.8 npm
GHSA-2rqg-gjgv-84jm OpenClaw: Gateway `agent` calls could override the workspace boundary
Modified: 3/14/2026
MEDIUM 5.3 npm
GHSA-2w79-r9g8-wmcr · CVE-2026-41400 OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)
Modified: 5/6/2026
MEDIUM 4.6 npm
GHSA-2ww6-868g-2c56 · CVE-2026-32040 OpenClaw Vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation
Modified: 3/30/2026
CRITICAL 9.8 npm
GHSA-2x4x-cc5g-qmmg · CVE-2026-33577 OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
Modified: 4/6/2026
MEDIUM npm
GHSA-2xcp-x87w-q377 · CVE-2026-45002 OpenClaw: Hook mapping templates could bypass hook session-key opt-in
Modified: 5/19/2026
MEDIUM 6.1 npm
GHSA-3298-56p6-rpw2 · CVE-2026-35667 OpenClaw has incomplete Fix for CVE-2026-27486: Unvalidated SIGKILL in `!stop` Chat Command via `shell-utils.ts`
Modified: 4/10/2026
MEDIUM 6.5 npm
GHSA-33hm-cq8r-wc49 · CVE-2026-32026 Temporary path handling could write outside OpenClaw temp boundary
Modified: 3/20/2026
HIGH 7.3 npm
GHSA-33rq-m5x2-fvgf · CVE-2026-28448 OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline
Modified: 3/13/2026
LOW 3.7 npm
GHSA-354r-7mfh-7rh2 · CVE-2026-32028 OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
Modified: 3/20/2026
MEDIUM 6.5 npm
GHSA-35mw-5vvr-vrxc · CVE-2026-43570 OpenClaw contains a symlink traversal vulnerability
Modified: 5/8/2026
MEDIUM npm
GHSA-36h3-7c54-j27r · CVE-2026-32054 OpenClaw has browser trace/download path symlink escape in temp output handling
Modified: 3/27/2026
MEDIUM 5.8 npm
GHSA-37gc-85xm-2ww6 · CVE-2026-27009 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
Modified: 2/20/2026
MEDIUM 5.3 npm
GHSA-37v6-fxx8-xjmx · CVE-2026-41351 OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
Modified: 5/6/2026
MEDIUM npm
GHSA-392f-ggf5-fp3c OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists
Modified: 3/4/2026
MEDIUM 5.4 npm
GHSA-39mp-545q-w789 · CVE-2026-35620 OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy
Modified: 4/10/2026
HIGH 7.5 npm
GHSA-39pp-xp36-q6mg · CVE-2026-35650 OpenClaw has Inconsistent Host Exec Environment Override Sanitization
Modified: 4/10/2026
HIGH 8.8 npm
GHSA-3c6h-g97w-fg78 · CVE-2026-28363, CVE-2026-32059 OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode
Modified: 3/13/2026
HIGH 7.5 npm
GHSA-3cvx-236h-m9fj · CVE-2026-32034 OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access
Modified: 3/25/2026
HIGH 7.3 npm
GHSA-3cw3-5vxw-g2h3 · CVE-2026-41342 OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials
Modified: 5/8/2026
HIGH 7.1 npm
GHSA-3fqr-4cg8-h96q · CVE-2026-26317 OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
Modified: 2/20/2026
MEDIUM npm
GHSA-3fv3-6p2v-gxwj · CVE-2026-41914 OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths
Modified: 4/28/2026
MEDIUM 5.0 npm
GHSA-3h2q-j2v4-6w5r OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers
Modified: 3/9/2026
MEDIUM npm
GHSA-3h52-cx59-c456 · CVE-2026-35640 OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
Modified: 4/10/2026
CRITICAL 9.8 npm
GHSA-3hcm-ggvf-rch5 · CVE-2026-28470 OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes
Modified: 3/6/2026
HIGH npm
GHSA-3jx4-q2m7-r496 OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations
Modified: 3/4/2026
LOW npm
GHSA-3pm9-5j7m-59vc · CVE-2026-41388 OpenClaw: Tlon Startup Migration Rehydrates Empty-Array Revocations From File Config
Modified: 4/28/2026
MEDIUM 5.3 npm
GHSA-3pxq-f3cp-jmxp · CVE-2026-22180 OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows
Modified: 3/18/2026
MEDIUM npm
GHSA-3q42-xmxv-9vfr · CVE-2026-41379 OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send
Modified: 4/28/2026
HIGH 7.8 npm
GHSA-3qpv-xf3v-mm45 · CVE-2026-41336 OpenClaw: Workspace `.env` can override the bundled hooks root and load attacker hook code
Modified: 5/6/2026
HIGH 7.1 npm
GHSA-3vvq-q2qc-7rmp · CVE-2026-42428 OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification
Modified: 5/6/2026
HIGH npm
GHSA-3w6x-gv34-mqpf OpenClaw's mutating internal ACP chat commands missed operator.admin scope enforcement
Modified: 3/26/2026
HIGH 7.1 npm
GHSA-3x3x-h76w-hp98 · CVE-2026-32017 OpenClaw exec allowlist safeBins short-option bypass could permit arbitrary file write
Modified: 3/30/2026
MEDIUM 6.5 npm
GHSA-3xfw-4pmr-4xc5 · CVE-2026-32022 OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)
Modified: 6/8/2026
MEDIUM 4.0 npm
GHSA-3xv9-89fm-7h4r · CVE-2026-41403 OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled
Modified: 5/6/2026
HIGH 7.3 npm
GHSA-42mx-vp8m-j7qh · CVE-2026-41355 OpenClaw: OpenShell `mirror` mode can convert untrusted sandbox files into explicitly enabled workspace hooks and execute them on the host during gateway startup
Modified: 5/6/2026
MEDIUM npm
GHSA-43x4-g22p-3hrq · CVE-2026-32046 OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container
Modified: 3/30/2026
HIGH 7.6 npm
GHSA-4564-pvr2-qq4h · CVE-2026-27487 OpenClaw: Prevent shell injection in macOS keychain credential write
Modified: 2/23/2026
MEDIUM 6.5 npm
GHSA-45cg-2683-gfmq · CVE-2026-32008 OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files
Modified: 4/2/2026
LOW 3.6 npm
GHSA-4685-c5cp-vp95 · CVE-2026-31996 OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags
Modified: 3/19/2026
HIGH 8.0 npm
GHSA-474h-prjg-mmw3 OpenClaw: Sandboxed sessions_spawn(runtime="acp") bypassed sandbox inheritance and allowed host ACP initialization
Modified: 3/4/2026
MEDIUM 4.8 npm
GHSA-47q7-97xp-m272 · CVE-2026-28475 OpenClaw: Config writes could persist resolved ${VAR} secrets to disk
Modified: 3/6/2026
HIGH npm
GHSA-48vw-m3qc-wr99 OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths
Modified: 3/26/2026
MEDIUM npm
GHSA-48wf-g7cp-gr3m · CVE-2026-31992 OpenClaw has allowlist exec-guard bypass via env -S
Modified: 3/20/2026
MEDIUM 6.5 npm
GHSA-49cg-279w-m73x · CVE-2026-43574 OpenClaw: Empty approver lists could grant explicit approval authorization
Modified: 5/8/2026
MEDIUM 6.5 npm
GHSA-4cqv-h74h-93j4 OpenClaw has a Discord `allowFrom` slug-collision authorization bypass
Modified: 3/4/2026
HIGH 7.1 npm
GHSA-4f8g-77mw-3rxc · CVE-2026-42429 OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`
Modified: 6/8/2026
MEDIUM 6.5 npm
GHSA-4g5x-2jfc-xm98 · CVE-2026-41408 OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk
Modified: 5/6/2026
HIGH 8.8 npm
GHSA-4gc7-qcvf-38wg · CVE-2026-32010 In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program
Modified: 3/30/2026
HIGH 7.5 npm
GHSA-4hg8-92x6-h2f3 · CVE-2026-26319 OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
Modified: 2/20/2026
MEDIUM 4.3 npm
GHSA-4hmj-39m8-jwc7 · CVE-2026-35651 OpenClaw has ACP CLI approval prompt ANSI escape sequence injection
Modified: 5/5/2026
CRITICAL 9.9 npm
GHSA-4jpw-hj22-2xmc OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE
Modified: 3/14/2026
MEDIUM npm
GHSA-4p4f-fc8q-84m3 · CVE-2026-41398 OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
Modified: 4/28/2026
HIGH npm
GHSA-4qwc-c7g9-4xcw · CVE-2026-35633 OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
Modified: 4/10/2026
CRITICAL 9.4 npm
GHSA-4rj2-gpmh-qq5x · CVE-2026-28446 OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)
Modified: 3/13/2026
MEDIUM 5.3 npm
GHSA-4rqq-w8v4-7p47 · CVE-2026-32019 OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard
Modified: 5/5/2026
HIGH 8.8 npm
GHSA-4w7m-58cg-cmff OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries
Modified: 3/14/2026
HIGH npm
GHSA-525j-hqq2-66r4 OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0
Modified: 4/17/2026
HIGH 7.7 npm
GHSA-527m-976r-jf79 · CVE-2026-43573 OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
Modified: 5/8/2026
MEDIUM 4.2 npm
GHSA-52q4-3xjc-6778 · CVE-2026-35617 OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName
Modified: 4/18/2026
MEDIUM 5.6 npm
GHSA-52vj-fvrv-7q82 · CVE-2026-6011 OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts
Modified: 4/10/2026
MEDIUM npm
GHSA-534w-2vm4-89xr OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch
Modified: 3/4/2026
HIGH 7.7 npm
GHSA-536q-mj95-h29h · CVE-2026-43580 OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage
Modified: 5/12/2026
HIGH 7.7 npm
GHSA-53vx-pmqw-863c · CVE-2026-43527 OpenClaw: Browser SSRF policy default allowed private-network navigation
Modified: 5/8/2026
MEDIUM npm
GHSA-553v-f69r-656j · CVE-2026-32042 OpenClaw unpaired device identity can bypass operator pairing and self-assign operator scopes with shared auth
Modified: 4/2/2026
MEDIUM npm
GHSA-55cf-xx38-4p9p · CVE-2026-45003 OpenClaw: Workspace dotenv files cannot override connector endpoint hosts
Modified: 5/19/2026
HIGH 7.6 npm
GHSA-56f2-hvwg-5743 OpenClaw affected by SSRF in Image Tool Remote Fetch
Modified: 2/22/2026
MEDIUM 4.4 npm
GHSA-56pc-6hvp-4gv4 · CVE-2026-32061 OpenClaw vulnerable to arbitrary file read via $include directive
Modified: 3/13/2026
HIGH npm
GHSA-57gh-m6rq-54cf OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration
Modified: 4/3/2026
LOW npm
GHSA-57r2-h2wj-g887 · CVE-2026-44999 OpenClaw: Isolated cron awareness events were recorded as trusted system events
Modified: 5/19/2026
MEDIUM npm
GHSA-5847-rm3g-23mw OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants
Modified: 3/4/2026
MEDIUM npm
GHSA-58q2-7r52-jq62 OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read
Modified: 4/3/2026
LOW npm
GHSA-5f9p-f3w2-fwch · CVE-2026-31993 OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
Modified: 3/19/2026
LOW npm
GHSA-5fc7-f62m-8983 · CVE-2026-41911 OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix)
Modified: 4/28/2026
LOW 3.3 npm
GHSA-5ghc-98wh-gwwf · CVE-2026-32020 OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read
Modified: 3/19/2026
MEDIUM 5.7 npm
GHSA-5gj7-jf77-q2q2 · CVE-2026-32009 OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)
Modified: 3/30/2026
MEDIUM npm
GHSA-5gjc-grvm-m88j · CVE-2026-43568 OpenClaw: Memory dreaming config persistence was reachable from operator.write commands
Modified: 5/5/2026
MEDIUM 5.3 npm
GHSA-5h2c-8v84-qpvr OpenClaw shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths
Modified: 3/4/2026
MEDIUM 5.4 npm
GHSA-5h2w-qmfp-ggp6 · CVE-2026-41344 OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`
Modified: 5/8/2026
MEDIUM npm
GHSA-5h3f-885m-v22w · CVE-2026-42421 OpenClaw: Existing WS sessions survive shared gateway token rotation
Modified: 4/28/2026
MEDIUM 5.3 npm
GHSA-5h3g-6xhh-rg6p · CVE-2026-44113 OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
Modified: 5/12/2026
MEDIUM 5.4 npm
GHSA-5hff-46vh-rxmw · CVE-2026-41298 OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill
Modified: 5/5/2026
MEDIUM npm
GHSA-5jvj-hxmh-6h6j · CVE-2026-35657 OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
Modified: 4/10/2026
MEDIUM npm
GHSA-5m9r-p9g7-679c · CVE-2026-34505 OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
Modified: 4/6/2026