OpenClaw

OpenClaw

559 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2026-42435

  • EPSS 0.41%
  • Veröffentlicht 05.05.2026 12:16:17
  • Zuletzt bearbeitet 05.05.2026 19:47:31

OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulat...

7.8

CVE-2026-42432

  • EPSS 0.13%
  • Veröffentlicht 28.04.2026 18:10:20
  • Zuletzt bearbeitet 26.05.2026 14:16:36

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute pr...

6.5

CVE-2026-42430

  • EPSS 0.19%
  • Veröffentlicht 28.04.2026 18:10:19
  • Zuletzt bearbeitet 30.04.2026 14:05:56

OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be re...

8.1

CVE-2026-42431

  • EPSS 0.26%
  • Veröffentlicht 28.04.2026 18:10:19
  • Zuletzt bearbeitet 30.04.2026 14:06:11

OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard a...

7.1

CVE-2026-42429

  • EPSS 0.24%
  • Veröffentlicht 28.04.2026 18:10:18
  • Zuletzt bearbeitet 26.05.2026 14:16:36

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that escalates identity-bearing operator.read requests to runtime operator.write permissions. Attackers can exploit this by sen...

7.5

CVE-2026-42428

  • EPSS 0.14%
  • Veröffentlicht 28.04.2026 18:10:17
  • Zuletzt bearbeitet 30.04.2026 14:05:47

OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.

5.8

CVE-2026-42427

  • EPSS 0.19%
  • Veröffentlicht 28.04.2026 18:10:16
  • Zuletzt bearbeitet 30.04.2026 14:05:26

OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject malicious build tool environme...

8.8

CVE-2026-42426

  • EPSS 0.28%
  • Veröffentlicht 28.04.2026 18:10:15
  • Zuletzt bearbeitet 30.04.2026 14:05:07

OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers w...

7.7

CVE-2026-42423

  • EPSS 0.32%
  • Veröffentlicht 28.04.2026 18:10:14
  • Zuletzt bearbeitet 30.04.2026 14:04:59

OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that sh...

5

CVE-2026-42424

  • EPSS 0.18%
  • Veröffentlicht 28.04.2026 18:10:14
  • Zuletzt bearbeitet 30.04.2026 14:05:22

OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel...