71 matches found
CVE-2026-62229
OpenClaw prior to 2026.5.18 contains an authorization bypass in exec allowlist glob matching. This allows lower-trust callers to execute actions beyond intended authorization by crafting input paths that traverse the allowlist glob patterns when the affected feature is enabled. According to the C...
CVE-2026-62226
OpenClaw 2026.3.28 before 2026.5.19 contains an authorization bypass in the browser act route, due to failure to properly validate current-tab URL checks. This allows attackers with lower-trust access or configured input paths to perform actions that should be restricted by stronger authorization...
EUVD-2026-45113
OpenClaw versions before 2026.5.18 contain an authorization bypass vulnerability in skill command dispatch that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can bypass tool policy restrictions through configured input paths to perform...
EUVD-2026-45111
OpenClaw before 2026.5.18 contain an authorization bypass vulnerability in the device-pair approval feature that allows lower-trust callers to execute actions beyond their intended authorization. Attackers can exploit misconfigured input paths to execute or persist unauthorized actions when the...
EUVD-2026-45110
OpenClaw before 2026.5.22 contain a vulnerability in setup-mode discovery that allows loading of untrusted workspace plugins. Attackers with lower-trust caller access or control over configured input paths can execute or persist actions beyond their intended authorization level...
CVE-2026-62221
Technical details are not publicly available in the provided documents. Monitor for updates from vuln sources; no product/version specifics or remediation are given in the supplied material.
EUVD-2026-45107
OpenClaw 2026.2.12 before 2026.5.26 contain an authorization bypass vulnerability in the hooks allowedAgentIds validation. A lower-trust caller or configured input path can bypass agent ID restrictions by submitting blank agent IDs, allowing actions that should require stronger authorization or...
EUVD-2026-45105
OpenClaw 2026.5.14-beta.1 before 2026.5.27 contain an authorization flaw in the QQBot exec approvals feature. When the feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization, allowing...
EUVD-2026-45106
OpenClaw 2026.1.20 before 2026.5.27 contain an authorization bypass vulnerability in the device.pair.approve feature that allows lower-trust callers to bypass role-management checks. Attackers can perform actions requiring stronger authorization by reaching the affected feature through configured...
CVE-2026-62215
OpenClaw versions before 2026.6.5 are affected by an authentication bypass in HTTP Canvas responses that allows lower-trust callers to forge trusted A2UI actions by submitting crafted requests through configured input paths, bypassing policy checks. The CVE lists impact on confidentiality and int...
EUVD-2026-45103
OpenClaw versions before 2026.6.5 contain an authentication bypass vulnerability in HTTP Canvas responses that allows lower-trust callers to forge trusted A2UI actions. Attackers can perform actions requiring stronger authorization by submitting crafted requests through configured input paths,...
EUVD-2026-45102
OpenClaw versions before 2026.5.28 Bot Framework contains an improper input validation vulnerability that allows lower-trust callers to expose bot tokens and credentials by failing to properly validate serviceUrl parameters. Attackers can supply malicious serviceUrl values through configured inpu...
EUVD-2026-45101
OpenClaw versions before 2026.5.27 contain a token leakage vulnerability in MS Teams outbound requests that allows lower-trust callers to expose Bot Framework tokens. Attackers can access configured input paths to retrieve credentials that should remain within the trusted boundary...
CVE-2026-62212
CVE-2026-62212 affects OpenClaw prior to 2026.5.28. A race condition exists in the MS Teams safeFetch DNS rebinding check when the affected feature is enabled and reachable. A lower-trust caller or configured input path could win the timing window between DNS validation and usage, enabling action...
CVE-2026-62211
OpenClaw versions prior to 2026.6.1 expose a credential redaction bypass in the trajectory export feature. The flaw allows lower-trust callers to access data that should remain within trusted boundaries by exploiting misconfigured input paths or feature accessibility in the export mechanism. Affe...
EUVD-2026-45099
OpenClaw versions before 2026.6.1 contain a credential redaction bypass vulnerability in the trajectory export feature that allows lower-trust callers to access data that should remain within trusted boundaries. Attackers can exploit misconfigured input paths or feature accessibility to expose...
EUVD-2026-45096
OpenClaw before 2026.6.5 could forward Authorization headers during MCP SSE redirects. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended authorization. Impact depends on the operator's...
EUVD-2026-45095
OpenClaw versions before 2026.6.5 contain an authentication bypass vulnerability that allows lower-trust callers to reach admin-scoped tools. Attackers can perform actions requiring stronger authorization by exploiting insufficient policy checks on configured input paths...
CVE-2026-62201
OpenClaw prior to version 2026.6.6 contains a network policy bypass in the sandbox exec-server that lets lower-trust callers reach internal network destinations blocked by policy. Attackers can send HTTP requests through the exec-server to access restricted network resources. The CVE description ...
EUVD-2026-45091
OpenClaw versions 2026.6.1 before 2026.6.9 contain a privilege escalation vulnerability in isolated cron jobs that allows lower-trust callers to regain denied execution tools. Attackers can execute or persist actions beyond their intended authorization by leveraging misconfigured input paths in t...