OpenClaw

OpenClaw

559 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2026-41408

  • EPSS 0.34%
  • Veröffentlicht 28.04.2026 18:10:05
  • Zuletzt bearbeitet 30.04.2026 19:38:19

OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering in...

5.4

CVE-2026-41406

  • EPSS 0.23%
  • Veröffentlicht 28.04.2026 18:10:04
  • Zuletzt bearbeitet 30.04.2026 19:37:48

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread context messages to bypass sender allowlist restrictions and...

5.3

CVE-2026-41407

  • EPSS 0.23%
  • Veröffentlicht 28.04.2026 18:10:04
  • Zuletzt bearbeitet 30.04.2026 19:38:01

OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-len...

7.5

CVE-2026-41405

  • EPSS 0.48%
  • Veröffentlicht 28.04.2026 18:10:03
  • Zuletzt bearbeitet 30.04.2026 19:37:34

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicious Teams webhook payloads to exhaust server resourc...

8.8

CVE-2026-41404

  • EPSS 0.34%
  • Veröffentlicht 28.04.2026 18:10:01
  • Zuletzt bearbeitet 30.04.2026 17:41:04

OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation. Attackers can exploit this by declaring operator scopes on non-Control-UI clients, all...

4

CVE-2026-41403

  • EPSS 0.26%
  • Veröffentlicht 28.04.2026 18:10:00
  • Zuletzt bearbeitet 30.04.2026 17:40:44

OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are in...

5.4

CVE-2026-41402

  • EPSS 0.27%
  • Veröffentlicht 28.04.2026 18:09:59
  • Zuletzt bearbeitet 30.04.2026 17:27:43

OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache key...

7.5

CVE-2026-41400

  • EPSS 0.53%
  • Veröffentlicht 28.04.2026 18:09:58
  • Zuletzt bearbeitet 30.04.2026 17:27:07

OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-start WebSocket frames to cause resource consumption...

4.6

CVE-2026-41398

  • EPSS 0.11%
  • Veröffentlicht 28.04.2026 18:09:57
  • Zuletzt bearbeitet 30.04.2026 16:56:42

OpenClaw before 2026.4.2 contains an improper access control vulnerability in the iOS A2UI bridge that treats generic local-network pages as trusted origins. Attackers can inject unauthorized agent.request runs by loading attacker-controlled pages fr...

7.5

CVE-2026-41399

  • EPSS 0.32%
  • Veröffentlicht 28.04.2026 18:09:57
  • Zuletzt bearbeitet 30.04.2026 16:57:40

OpenClaw before 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget allocation. Unauthenticated network attackers can exhaust socket and worker capacity to disrupt WebSocket availability for leg...