OpenClaw

OpenClaw

559 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.6

CVE-2026-41397

  • EPSS 0.47%
  • Veröffentlicht 28.04.2026 18:09:56
  • Zuletzt bearbeitet 30.04.2026 20:54:52

OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through symlink exploitation during file synchronization operations. Remote attackers can bypass sandbox restrictions by crafting ma...

7.8

CVE-2026-41396

  • EPSS 0.13%
  • Veröffentlicht 28.04.2026 18:09:55
  • Zuletzt bearbeitet 30.04.2026 20:50:00

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overr...

8.2

CVE-2026-41394

  • EPSS 0.29%
  • Veröffentlicht 28.04.2026 18:09:54
  • Zuletzt bearbeitet 30.04.2026 20:45:14

OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime acti...

7.5

CVE-2026-41395

  • EPSS 0.15%
  • Veröffentlicht 28.04.2026 18:09:54
  • Zuletzt bearbeitet 30.04.2026 20:45:25

OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay ca...

4.8

CVE-2026-41393

  • EPSS 0.12%
  • Veröffentlicht 28.04.2026 18:09:53
  • Zuletzt bearbeitet 30.04.2026 20:45:01

OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint access can exfiltrate operator credentials through...

7.3

CVE-2026-41392

  • EPSS 0.12%
  • Veröffentlicht 28.04.2026 18:09:52
  • Zuletzt bearbeitet 30.04.2026 20:42:43

OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options like --rcfile, --init-file, and --startup-file to loa...

6.1

CVE-2026-41391

  • EPSS 0.13%
  • Veröffentlicht 28.04.2026 18:09:51
  • Zuletzt bearbeitet 30.04.2026 20:42:12

OpenClaw before 2026.3.31 fails to properly sanitize PIP_INDEX_URL and UV_INDEX_URL environment variables in host execution contexts, allowing attackers to redirect Python package-index traffic. Attackers can exploit this bypass to intercept or manip...

6.5

CVE-2026-41388

  • EPSS 0.31%
  • Veröffentlicht 28.04.2026 18:09:50
  • Zuletzt bearbeitet 30.04.2026 20:37:42

OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate revoked Tlon configuration from file state, bypassin...

7.3

CVE-2026-41390

  • EPSS 0.12%
  • Veröffentlicht 28.04.2026 18:09:50
  • Zuletzt bearbeitet 30.04.2026 20:38:27

OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers can obtain user approval for one wrapped command t...

7.8

CVE-2026-41387

  • EPSS 0.24%
  • Veröffentlicht 28.04.2026 18:09:49
  • Zuletzt bearbeitet 30.04.2026 20:36:10

OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec req...