Lucene search
K

7 matches found

Positive Technologies
Positive Technologies
added 2026/03/12 12:0 a.m.6 views

PT-2026-24945

A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version...

4.8CVSS5.3AI score0.00133EPSS
Exploits0References9
OSV
OSV
added 2026/03/03 11:32 p.m.3 views

GHSA-GQ83-8Q7Q-9HFX OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption

Impact Concurrent updateRegistry/removeRegistryEntry operations for sandbox containers and browsers could lose updates or resurrect removed entries under race conditions. The registry writes were read-modify-write in a window with no locking and permissive fallback parsing, so concurrent registry...

6.9CVSS5.9AI score0.00134EPSS
Exploits0References6
OSV
OSV
added 2026/03/03 6:9 p.m.6 views

GHSA-7FCC-CW49-XM78 OpenClaw has command injection via Windows shell fallback in Lobster tool execution

Summary The Lobster extension tool execution path used a Windows shell fallback shell: true after spawn failures EINVAL/ENOENT. In that fallback path, shell metacharacters in command arguments can be interpreted by the shell, enabling command injection. Affected Packages / Versions - Package:...

8.6CVSS6.1AI score0.00618EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/02/22 1:25 p.m.5 views

CVE-2026-27488

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...

7.3CVSS5.4AI score0.00327EPSS
Exploits0References1
NVD
NVD
added 2026/02/21 10:16 a.m.8 views

CVE-2026-27488

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, Cron webhook delivery in src/gateway/server-cron.ts uses fetch directly, so webhook targets can reach private/metadata/internal endpoints without SSRF policy checks. This issue was fixed in version 2026.2.19...

7.3CVSS0.00327EPSS
Exploits0References3
CVE
CVE
added 2026/02/21 9:49 a.m.20 views

CVE-2026-27488

OpenClaw contains a SSRF-related issue in Cron webhook delivery. In versions up to 2026.2.17, the fetch() call in src/gateway/server-cron.ts allowed webhook targets to reach private/metadata/internal endpoints without SSRF policy checks. The issue was fixed in version 2026.2.19; upgrading to 2026...

7.3CVSS5.4AI score0.00327EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.7 views

PT-2026-26236

Summary tools.exec.safeBins could be bypassed for filesystem access when sort output flags -o / --output or recursive grep flags were allowed through safe-bin execution paths. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.2.19 - Latest published version at triag...

7.1CVSS6AI score0.0014EPSS
Exploits0References12
Rows per page
Query Builder