Lucene search
K

557 matches found

EUVD
EUVD
added 5 days ago10 views

EUVD-2026-36322

OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance...

8.6CVSS5.8AI score0.00342EPSS
Exploits0References3
EUVD
EUVD
added 5 days ago9 views

EUVD-2026-36315

OpenClaw: Embedded runner policy could be confused by provider aliases...

4.8CVSS5.7AI score0.00093EPSS
Exploits0References3
EUVD
EUVD
added 5 days ago8 views

EUVD-2026-36316

OpenClaw's marketplace runtime extension metadata could point at unscanned payloads...

8.8CVSS5.8AI score0.00419EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/18 1:2 p.m.4 views

Incomplete List of Disallowed Inputs

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via insufficient sanitization of environment variables in the process. An attacker can influence the behavior of a Node.js child process or alter...

8.1CVSS5.9AI score0.00246EPSS
Exploits0References2
NVD
NVD
added 2026/06/16 7:17 p.m.15 views

CVE-2026-53851

OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading ...

6.3CVSS0.00191EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/16 6:4 p.m.20 views

CVE-2026-53846 OpenClaw < 2026.4.29 - Arbitrary Package Manager Execution via Workspace .env npm_execpath

OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npmexecpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager...

7.1CVSS0.00118EPSS
Exploits0References2
CVE
CVE
added 2026/06/16 6:4 p.m.17 views

CVE-2026-53842

OpenClaw prior to 2026.5.2 is affected by an environment variable injection in CLOUDSDK_PYTHON that can influence Python runtime selection during Gmail setup gcloud execution. Attackers with repository access can set CLOUDSDK_PYTHON to point to unintended local Python paths, potentially enabling ...

7.1CVSS5.9AI score0.00133EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/16 6:4 p.m.15 views

CVE-2026-53840

OpenClaw CVE-2026-53840 affects the OpenClaw MCP stack before version 2026.5.12. The issue is an information-disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. If an attacker controls or can compromise an MCP end...

7.1CVSS5.3AI score0.00223EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.14 views

PT-2026-49773

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.4.23 through 2026.4.23 Description An insecure file permissions issue exists in the config recovery process that restores the OpenClaw.json file with overly broad permissions. Local attackers on shared hosts can exploit...

5.7CVSS5.2AI score0.00094EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/13 12:34 a.m.9 views

EUVD-2026-36608

OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command...

6.9CVSS5.2AI score0.00094EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/12 11:9 p.m.4 views

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the memory-wiki ingest process when an authenticated user with operator.write scope specifies arbitrary local file paths. An attacker can access sensitive local...

7.1CVSS6.5AI score0.00375EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 10:16 p.m.10 views

CVE-2026-53821

OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execut...

8.8CVSS0.00289EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 9:56 p.m.21 views

CVE-2026-53835

OpenClaw (pre-2026.5.6) contains a configuration enforcement bypass in Feishu dynamic-agent bindings. The flaw allows authenticated senders to create or update bindings without honoring configured config-write controls, enabling changes to sender-agent binding state beyond policy. Affected compon...

4.3CVSS5.3AI score0.00166EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/12 9:56 p.m.33 views

CVE-2026-53835 OpenClaw < 2026.5.6 - Config-Write Enforcement Bypass in Feishu Dynamic-Agent Bindings

OpenClaw before 2026.5.6 contains a configuration enforcement bypass vulnerability in Feishu dynamic-agent bindings that allows authenticated senders to create or update bindings without honoring configured config-write controls. Attackers can exploit this by leveraging the dynamic-agent binding...

4.3CVSS0.00166EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 9:56 p.m.6 views

CVE-2026-53832 OpenClaw < 2026.5.18 - Identity Header Forgery via Trusted-Proxy Configuration

OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity headers to assume operator identity and potentially escalate...

7.7CVSS5.2AI score0.00102EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 9:56 p.m.29 views

CVE-2026-53826

OpenClaw is affected by an information-disclosure vulnerability in sandboxed session spawning affecting versions prior to 2026.4.26. The issue allows a sandboxed parent to reveal the real workspace path to child prompts, potentially exposing host workspace location or related memory context to ch...

4.3CVSS5.4AI score0.00187EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/12 9:56 p.m.8 views

CVE-2026-53826 OpenClaw < 2026.4.26 - Information Disclosure via Sandboxed Session Spawn

OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to reveal host workspace location or related memory context ...

4.3CVSS5.3AI score0.00187EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.15 views

PT-2026-49026

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.18 Description Command injection occurs because the shell wrapper argv can be modified between the approval and execution phases. This allows attackers to rebuild command arguments after they have passed...

8.8CVSS6AI score0.00982EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.19 views

PT-2026-49039

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.6 Description A configuration enforcement bypass exists in Feishu dynamic-agent bindings. This issue allows authenticated senders to create or update bindings without adhering to the configured config-write...

4.3CVSS5.2AI score0.00166EPSS
Exploits0References5
NVD
NVD
added 2026/06/11 9:16 p.m.11 views

CVE-2026-53810

OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points...

8.8CVSS0.00419EPSS
Exploits0References2
Rows per page
Query Builder