CVE-2026-41375

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels. Attackers can bypass authentication restrictions to arm or disarm phone channels without proper...

CVE-2026-7234 BrowserOperator browser-operator-core server.js startsWith path traversal

A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/componentserver/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.28 contained security vulnerabilities. These vulnerabilities stemmed from permission escalation vulnerabilities, allowing authenticated operators with write permissions to acces...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.8 contained security vulnerabilities. These vulnerabilities stemmed from improper authorization; the node.pair.approve method accepted the operator.write scope instead of the...

PT-2026-35807

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway au...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.8 contained security vulnerabilities. These vulnerabilities stemmed from an issue with the permission escalation mechanism in the gateway plugin’s HTTP authentication process...

PT-2026-35672

A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploi...

PT-2026-35787

OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation. Attackers can exploit this by declaring operator scopes on non-Control-UI clients, allowing self-declared scopes to persist on...

browser-operator-core 路径遍历漏洞

Browser-Operator-core is a privacy-first AI browser developed by BrowserOperator. It supports local execution and multi-agent automation. Versions of Browser-Operator-core prior to 0.6.0 have a path traversal vulnerability. This vulnerability stems from the request.url parameter in the startsWith...

PT-2026-35804

OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairi...

GHSA-GJ49-89WH-H4GJ vulnerabilities

Vulnerabilities for packages: hubble-ui, kubescape, kubescape-operator...

CVE-2026-41520 vulnerabilities

Vulnerabilities for packages: hubble-ui, kubescape, kubescape-operator...

GHSA-GJ49-89WH-H4GJ vulnerabilities

Vulnerabilities for packages: hubble-ui-backend-fips, hubble-fips, kubescape-server-fips, kubescape-server, kubescape, hubble-ui, kubescape-operator, kubescape-operator-fips...

CVE-2026-41520 vulnerabilities

Vulnerabilities for packages: hubble-ui-backend-fips, hubble-fips, kubescape-server-fips, kubescape-server, kubescape, hubble-ui, kubescape-operator, kubescape-operator-fips...

GHSA-7JM2-G593-4QRC OpenClaw: Agent gateway config mutations could change protected operator settings

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact The agent-facing gateway config.patch / config.apply guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook...

OpenClaw: Agent gateway config mutations could change protected operator settings

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact The agent-facing gateway config.patch / config.apply guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook...

NPM: OpenClaw: Agent gateway config mutations could change protected operator settings

NPM: OpenClaw: Agent gateway config mutations could change protected operator settings vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

Insufficient Granularity of Access Control

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via insufficient access control in the gateway config.patch and config.apply processes. An attacker can modify protected operator settings by...

OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact The Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy...

GHSA-V8QF-FR4G-28P2 OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact The Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy...