OpenClaw

OpenClaw

331 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.5

CVE-2026-33580

  • EPSS 0.08%
  • Veröffentlicht 31.03.2026 14:10:33
  • Zuletzt bearbeitet 01.04.2026 18:54:45

OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inb...

8.6

CVE-2026-33581

  • EPSS 0.05%
  • Veröffentlicht 31.03.2026 14:10:33
  • Zuletzt bearbeitet 01.04.2026 19:01:07

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit t...

9.9

CVE-2026-33579

Medienbericht
  • EPSS 0.02%
  • Veröffentlicht 31.03.2026 14:10:32
  • Zuletzt bearbeitet 06.04.2026 23:16:26

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pend...

8.1

CVE-2026-33577

  • EPSS 0.01%
  • Veröffentlicht 31.03.2026 14:10:31
  • Zuletzt bearbeitet 01.04.2026 19:17:23

OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in nod...

4.3

CVE-2026-33578

  • EPSS 0.01%
  • Veröffentlicht 31.03.2026 14:10:31
  • Zuletzt bearbeitet 01.04.2026 19:12:56

OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypa...

6.5

CVE-2026-33576

  • EPSS 0.05%
  • Veröffentlicht 31.03.2026 14:10:30
  • Zuletzt bearbeitet 01.04.2026 19:19:24

OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently reject...

6.5

CVE-2026-34508

  • EPSS 0.06%
  • Veröffentlicht 31.03.2026 11:17:22
  • Zuletzt bearbeitet 01.04.2026 14:16:53

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

4.3

CVE-2026-34509

  • EPSS 0.03%
  • Veröffentlicht 31.03.2026 11:17:22
  • Zuletzt bearbeitet 01.04.2026 14:16:54

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

4.3

CVE-2026-34506

  • EPSS 0.03%
  • Veröffentlicht 31.03.2026 11:17:21
  • Zuletzt bearbeitet 01.04.2026 19:27:12

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAll...

7.5

CVE-2026-32988

  • EPSS 0.01%
  • Veröffentlicht 31.03.2026 11:17:20
  • Zuletzt bearbeitet 02.04.2026 12:26:04

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path al...