Lucene search
K

24 matches found

EUVD
EUVD
added 2 days ago10 views

EUVD-2026-36322

OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance...

8.6CVSS5.8AI score0.00342EPSS
Exploits0References3
NVD
NVD
added 2026/06/11 9:16 p.m.12 views

CVE-2026-53816

OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway,...

8.6CVSS0.00342EPSS
Exploits0References2
CVE
CVE
added 2026/06/11 8:9 p.m.31 views

CVE-2026-53816

OpenClaw before 2026.5.18 is affected by an insufficient provenance validation vulnerability in node event handling. A malicious or compromised paired node can send crafted node.event messages to the gateway, allowing forging of exec lifecycle events and steering target sessions into exec-event p...

8.6CVSS5.5AI score0.00342EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/11 8:9 p.m.30 views

CVE-2026-53816 OpenClaw < 2026.5.18 - Exec Lifecycle Event Forgery via Paired Node

OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway,...

8.6CVSS0.00342EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/11 8:9 p.m.9 views

CVE-2026-53816 OpenClaw < 2026.5.18 - Exec Lifecycle Event Forgery via Paired Node

OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway,...

8.6CVSS5.2AI score0.00342EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/04/29 8:48 p.m.4 views

CVE-2026-42432

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system...

7.8CVSS5.5AI score0.00131EPSS
Exploits0References1
NVD
NVD
added 2026/04/28 7:37 p.m.6 views

CVE-2026-42432

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system...

7.8CVSS0.00131EPSS
Exploits0References3
NVD
NVD
added 2026/04/28 7:37 p.m.4 views

CVE-2026-41378

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted...

8.8CVSS0.00444EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/28 6:10 p.m.6 views

CVE-2026-42432

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system...

7.8CVSS5.9AI score0.00131EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/28 6:10 p.m.6 views

EUVD-2026-26134

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system...

7.8CVSS5.4AI score0.00131EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/28 6:9 p.m.30 views

CVE-2026-41378 OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted node.event Agent Dispatch

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted...

8.8CVSS0.00444EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/28 6:9 p.m.5 views

CVE-2026-41378

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted...

8.8CVSS6.3AI score0.00444EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/28 6:9 p.m.8 views

EUVD-2026-26087

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted...

8.8CVSS6.3AI score0.00444EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/28 6:9 p.m.7 views

CVE-2026-41378 OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted node.event Agent Dispatch

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted...

8.8CVSS6.3AI score0.00444EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/28 12:0 a.m.11 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities were due to a permission escalation flaw, allowing paired nodes with the role="node" to access the distributed node'...

8.8CVSS6.2AI score0.00444EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.4 views

PT-2026-35810

OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system...

7.8CVSS5.4AI score0.00131EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/28 12:0 a.m.6 views

PT-2026-35763

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.31 Description A privilege escalation issue allows paired nodes with role=node to dispatch node.event agent requests, granting unrestricted tool access on the gateway side. Attackers possessing trusted paired...

8.8CVSS6.5AI score0.00444EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/23 9:58 p.m.3 views

CVE-2026-41352

OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation...

8.8CVSS6.7AI score0.00544EPSS
Exploits0References4
CVE
CVE
added 2026/03/31 2:10 p.m.8 views

CVE-2026-33577

CVE-2026-33577 (OpenClaw) : OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node-pairing approval path. The issue is caused by missing callerScopes validation in node-pairing.ts, allowing a low-privilege operator to approve nodes with broader scopes onto t...

8.6CVSS5.9AI score0.00379EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/02 9:49 p.m.11 views

GHSA-392F-GGF5-FP3C OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists

Summary A paired node could supply Unicode-confusable platform or deviceFamily metadata that passed metadata pinning but classified differently for command policy resolution, broadening default node command allowlists. Impact This is a policy-bypass issue within the paired-node trust boundary and...

6.9CVSS5.9AI score
Exploits0References2
Rows per page
Query Builder