OpenClaw

OpenClaw

559 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.3

CVE-2026-45002

  • EPSS 0.28%
  • Veröffentlicht 11.05.2026 18:16:40
  • Zuletzt bearbeitet 13.05.2026 14:13:21

OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mapping...

5

CVE-2026-45003

  • EPSS 0.11%
  • Veröffentlicht 11.05.2026 18:16:40
  • Zuletzt bearbeitet 13.05.2026 14:13:30

OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint...

7.8

CVE-2026-45004

  • EPSS 0.14%
  • Veröffentlicht 11.05.2026 18:16:40
  • Zuletzt bearbeitet 13.05.2026 14:13:43

OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under t...

6

CVE-2026-45005

  • EPSS 0.29%
  • Veröffentlicht 11.05.2026 18:16:40
  • Zuletzt bearbeitet 13.05.2026 14:14:00

OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests a...

8.8

CVE-2026-45006

  • EPSS 0.49%
  • Veröffentlicht 11.05.2026 18:16:40
  • Zuletzt bearbeitet 13.05.2026 14:14:28

OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write unsafe configuration changes by bypassing an incomplete denylist protec...

5.4

CVE-2026-44993

  • EPSS 0.27%
  • Veröffentlicht 11.05.2026 18:16:39
  • Zuletzt bearbeitet 13.05.2026 14:11:07

OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct m...

5.3

CVE-2026-44994

  • EPSS 0.32%
  • Veröffentlicht 11.05.2026 18:16:39
  • Zuletzt bearbeitet 13.05.2026 14:11:21

OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Attackers can access the bootstrap config route withou...

7.3

CVE-2026-44995

  • EPSS 0.14%
  • Veröffentlicht 11.05.2026 18:16:39
  • Zuletzt bearbeitet 13.05.2026 14:11:44

OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables li...

3.7

CVE-2026-44996

  • EPSS 0.31%
  • Veröffentlicht 11.05.2026 18:16:39
  • Zuletzt bearbeitet 13.05.2026 14:12:01

OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence agent or tool-produced ReplyPayload.mediaUrl paramete...

4.3

CVE-2026-44997

  • EPSS 0.22%
  • Veröffentlicht 11.05.2026 18:16:39
  • Zuletzt bearbeitet 13.05.2026 14:12:19

OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers ca...