OpenClaw

OpenClaw

331 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.1

CVE-2026-32045

  • EPSS 0.08%
  • Veröffentlicht 21.03.2026 00:42:19
  • Zuletzt bearbeitet 24.03.2026 21:16:28

OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTT...

7

CVE-2026-32043

  • EPSS 0.01%
  • Veröffentlicht 21.03.2026 00:42:18
  • Zuletzt bearbeitet 24.03.2026 19:10:25

OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd...

5.5

CVE-2026-32044

  • EPSS 0.02%
  • Veröffentlicht 21.03.2026 00:42:18
  • Zuletzt bearbeitet 23.03.2026 17:10:11

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry ...

8.8

CVE-2026-32042

  • EPSS 0.11%
  • Veröffentlicht 21.03.2026 00:42:17
  • Zuletzt bearbeitet 23.03.2026 17:10:21

OpenClaw versions 2026.2.22 prior to 2026.2.25 contain a privilege escalation vulnerability allowing unpaired device identities to bypass operator pairing requirements and self-assign elevated operator scopes including operator.admin. Attackers with ...

9.9

CVE-2026-22172

  • EPSS 0.02%
  • Veröffentlicht 20.03.2026 14:48:28
  • Zuletzt bearbeitet 24.03.2026 21:20:45

OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that allows shared-token or password-authenticated connections to self-declare elevated scopes without server-side binding. Attackers can...

6.5

CVE-2026-32039

  • EPSS 0.02%
  • Veröffentlicht 19.03.2026 22:16:40
  • Zuletzt bearbeitet 23.03.2026 17:19:19

OpenClaw versions prior to 2026.2.22 contain an authorization bypass vulnerability in the toolsBySender group policy matching that allows attackers to inherit elevated tool permissions through identifier collision attacks. Attackers can exploit untyp...

6.1

CVE-2026-32040

Exploit
  • EPSS 0.02%
  • Veröffentlicht 19.03.2026 22:16:40
  • Zuletzt bearbeitet 23.03.2026 17:28:32

OpenClaw versions prior to 2026.2.23 contain an html injection vulnerability in the HTML session exporter that allows attackers to execute arbitrary javascript by injecting malicious mimeType values in image content blocks. Attackers can craft sessio...

7.8

CVE-2026-32041

  • EPSS 0.02%
  • Veröffentlicht 19.03.2026 22:16:40
  • Zuletzt bearbeitet 23.03.2026 17:29:17

OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this...

8.1

CVE-2026-32034

  • EPSS 0.06%
  • Veröffentlicht 19.03.2026 22:16:39
  • Zuletzt bearbeitet 25.03.2026 15:16:46

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairin...

7.1

CVE-2026-32035

  • EPSS 0.03%
  • Veröffentlicht 19.03.2026 22:16:39
  • Zuletzt bearbeitet 20.04.2026 13:43:53

OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools ...