24 matches found
From Clawdbot to OpenClaw: Practical Lessons in Building Secure Agents
...
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
Summary Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. Impact A malicious website can trigger unauthorized...
GHSA-Q447-RJ3R-2CGH OpenClaw affected by denial of service via unbounded webhook request body buffering
Summary Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability. Details Affected packages: - openclaw npm: 2026.2.12 - clawdbot npm:...
OpenClaw affected by denial of service via unbounded webhook request body buffering
Summary Multiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability. Details Affected packages: - openclaw npm: 2026.2.12 - clawdbot npm:...
PT-2026-20368
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 clawdbot versions prior to 2026.1.24-3 Description Browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote...
GHSA-3M3Q-X3GJ-F79X OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations
Affected Packages / Versions This issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled. - Package: @openclaw/voice-call - Vulnerable versions: = 2026.2.3 Legacy package name if you are still usi...
A Trajectory-Based Safety Audit of Clawdbot (OpenClaw)
Clawdbot is a self-hosted, tool-using personal AI agent with a broad action space spanning local execution and web-mediated workflows, which raises heightened safety and security concerns under ambiguity and adversarial steering. We present a trajectory-centric evaluation of Clawdbot across six...
OpenClaw < 2026.1.30 Path Traversal (GHSA-r8g4-86fx-92mq)
The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.1.30. It is, therefore, affected by a path traversal vulnerability: - The isValidMedia function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory...
OpenClaw < 2026.1.20 Command Injection (GHSA-g55j-c2v4-pjcg)
The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.1.20. It is, therefore, affected by a command injection vulnerability: - An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that...
OS Command Injection
clawdbot is vulnerable to an OS command injection. The vulnerability is due to improper escaping and validation of user-supplied input in SSH-related functions, which allows an attacker to inject malicious command strings via the project root path or crafted SSH target arguments, leading to...
Viral AI, Invisible Risks: What OpenClaw Reveals About Agentic Assistants
OpenClaw aka Clawdbot or Moltbot represents a new frontier in agentic AI: powerful, highly autonomous, and surprisingly easy to use. In this research, we examine how its capabilities compare to its predecessors’ and highlight the security risks inherent to the agentic AI paradigm...
All gas, no brakes: Time to come to AI church
Welcome to this week's edition of the Threat Source newsletter. Brothers and sisters, gather close for a moment. We are all security followers here gathered in fellowship and community, with one joyful spirit to fight the good fight and do good out there in the security world. It is with that...
CVE-2026-25157 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When th...
GHSA-Q284-4PVR-M585 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand
Two related vulnerabilities existed in the macOS application's SSH remote connection handling CommandResolver.swift: Details The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescap...
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand
Two related vulnerabilities existed in the macOS application's SSH remote connection handling CommandResolver.swift: Details The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescap...
Command Injection
Overview clawdbot is a WhatsApp gateway CLI Baileys web with Pi RPC agent Affected versions of this package are vulnerable to Command Injection via unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user can execute arbitrary commands within the...
GHSA-MC68-Q9JW-2H3V OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable
Summary A Command Injection vulnerability existed in Clawdbot’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the...
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable
Summary A Command Injection vulnerability existed in Clawdbot’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the...
CVE-2026-25253
OpenClaw aka clawdbot or Moltbot before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value...
OpenClaw
🦞 Moltbot/Clawdbot 1-Click RCE PoC A simplified, single-scrip...