477 matches found
CVE-2026-62229
OpenClaw prior to 2026.5.18 contains an authorization bypass in exec allowlist glob matching. This allows lower-trust callers to execute actions beyond intended authorization by crafting input paths that traverse the allowlist glob patterns when the affected feature is enabled. According to the C...
CVE-2026-62226
OpenClaw 2026.3.28 before 2026.5.19 contains an authorization bypass in the browser act route, due to failure to properly validate current-tab URL checks. This allows attackers with lower-trust access or configured input paths to perform actions that should be restricted by stronger authorization...
CVE-2026-62221
Technical details are not publicly available in the provided documents. Monitor for updates from vuln sources; no product/version specifics or remediation are given in the supplied material.
CVE-2026-62215
OpenClaw versions before 2026.6.5 are affected by an authentication bypass in HTTP Canvas responses that allows lower-trust callers to forge trusted A2UI actions by submitting crafted requests through configured input paths, bypassing policy checks. The CVE lists impact on confidentiality and int...
CVE-2026-62211
OpenClaw versions prior to 2026.6.1 expose a credential redaction bypass in the trajectory export feature. The flaw allows lower-trust callers to access data that should remain within trusted boundaries by exploiting misconfigured input paths or feature accessibility in the export mechanism. Affe...
CVE-2026-62212
CVE-2026-62212 affects OpenClaw prior to 2026.5.28. A race condition exists in the MS Teams safeFetch DNS rebinding check when the affected feature is enabled and reachable. A lower-trust caller or configured input path could win the timing window between DNS validation and usage, enabling action...
CVE-2026-62201
OpenClaw prior to version 2026.6.6 contains a network policy bypass in the sandbox exec-server that lets lower-trust callers reach internal network destinations blocked by policy. Attackers can send HTTP requests through the exec-server to access restricted network resources. The CVE description ...
EUVD-2026-43534
OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can exploit misconfigured input paths or enabled features to escalate...
EUVD-2026-43565
OpenClaw Feishu tools npm package @openclaw/feishu in versions = 2026.6.6 could ignore per-account disablement. A lower-trust caller or a configured input path could perform actions that should have required a stronger authorization or policy check, resulting in unauthorized operations. The issue...
EUVD-2026-43568
OpenClaw versions before 2026.6.9 contain an authorization bypass vulnerability in the flock wrapper that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can leverage configured input paths to bypass durable exec approval binding and perform...
EUVD-2026-43569
OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in message mutation handling that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to skip requester authorization and...
EUVD-2026-43570
OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in Discord guild actions that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to skip cross-provider requester...
EUVD-2026-43571
OpenClaw versions 2026.6.5 before 2026.6.9 contain a vulnerability in the plugin install wrappers that could skip the install policy authorization check. When the affected feature is enabled and reachable, a lower-trust caller or a configured input path could execute or persist actions beyond the...
EUVD-2026-43566
OpenClaw @openclaw/feishu versions 2026.6.6 and earlier contain an incorrect authorization vulnerability in which the Feishu permission tools could ignore per-account disablement settings. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could...
CVE-2026-62198
OpenClaw versions 2026.5.28 before 2026.6.6 contain an authorization bypass vulnerability in native web search that allows lower-trust callers to perform actions requiring stronger policy checks. Attackers can exploit misconfigured input paths to bypass intended authorization controls and execute...
CVE-2026-62195
OpenClaw versions 2026.5.20 before 2026.6.6 contain an authorization bypass vulnerability in the MCP loopback feature that allows lower-trust callers to execute owner-only tools. Attackers can bypass authorization checks through configured input paths to execute or persist actions beyond their...
CVE-2026-62191
OpenClaw versions 2026.6.6 before 2026.6.9 contain an authorization bypass vulnerability in message mutation handling that allows lower-trust callers to perform actions requiring stronger authorization checks. Attackers can exploit misconfigured input paths to skip requester authorization and...
CVE-2026-62200
OpenClaw
CVE-2026-62200
OpenClaw versions before 2026.6.6 contain a flaw in host exec environment filtering that could allow Git ext transport to be abused. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended...
CVE-2026-62198 OpenClaw 2026.5.28 < 2026.6.6 Authorization Bypass via Web Search
OpenClaw versions 2026.5.28 before 2026.6.6 contain an authorization bypass vulnerability in native web search that allows lower-trust callers to perform actions requiring stronger policy checks. Attackers can exploit misconfigured input paths to bypass intended authorization controls and execute...