OpenClaw

OpenClaw

559 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.3

CVE-2026-41335

  • EPSS 0.3%
  • Veröffentlicht 23.04.2026 22:16:39
  • Zuletzt bearbeitet 28.04.2026 18:55:50

OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bo...

7.8

CVE-2026-41336

  • EPSS 0.13%
  • Veröffentlicht 23.04.2026 22:16:39
  • Zuletzt bearbeitet 28.04.2026 18:55:54

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces...

5.3

CVE-2026-41337

  • EPSS 0.23%
  • Veröffentlicht 23.04.2026 22:16:39
  • Zuletzt bearbeitet 28.04.2026 18:55:58

OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can expl...

5

CVE-2026-41338

  • EPSS 0.09%
  • Veröffentlicht 23.04.2026 22:16:39
  • Zuletzt bearbeitet 28.04.2026 18:56:08

OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir operations to m...

5.3

CVE-2026-41332

  • EPSS 0.11%
  • Veröffentlicht 23.04.2026 22:16:38
  • Zuletzt bearbeitet 29.04.2026 17:10:15

OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavi...

6.5

CVE-2026-41908

  • EPSS 0.22%
  • Veröffentlicht 23.04.2026 18:16:29
  • Zuletzt bearbeitet 28.04.2026 19:41:00

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identi...

5.4

CVE-2026-41909

  • EPSS 0.17%
  • Veröffentlicht 23.04.2026 18:16:29
  • Zuletzt bearbeitet 28.04.2026 19:40:13

OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on ...

5.3

CVE-2026-41331

  • EPSS 0.3%
  • Veröffentlicht 20.04.2026 23:08:17
  • Zuletzt bearbeitet 27.04.2026 15:08:05

OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to ...

9.9

CVE-2026-41329

  • EPSS 0.3%
  • Veröffentlicht 20.04.2026 23:08:16
  • Zuletzt bearbeitet 27.04.2026 15:09:01

OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbo...

4.4

CVE-2026-41330

  • EPSS 0.12%
  • Veröffentlicht 20.04.2026 23:08:16
  • Zuletzt bearbeitet 27.04.2026 15:08:32

OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables ...