Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

58577 matches found

ATTACKERKB
ATTACKERKBadded 2026/04/10 4:3 p.m.5 views

CVE-2026-35669

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform...

8.8CVSS5.8AI score0.00298EPSS
Exploits0References4
Vulnrichment
Vulnrichmentadded 2026/04/10 4:3 p.m.2 views

CVE-2026-35669 OpenClaw < 2026.3.25 - Privilege Escalation via Gateway Plugin HTTP Authentication Scope

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform...

8.8CVSS5.8AI score0.00298EPSS
Exploits0References3
ATTACKERKB
ATTACKERKBadded 2026/04/10 4:3 p.m.0 views

CVE-2026-35663

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges...

8.8CVSS5.8AI score0.00276EPSS
Exploits0References4
ATTACKERKB
ATTACKERKBadded 2026/04/10 4:3 p.m.0 views

CVE-2026-35660

OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey ...

8.1CVSS5.9AI score0.00272EPSS
Exploits0References5
CVE
CVEadded 2026/04/10 4:3 p.m.5 views

CVE-2026-35660

OpenClaw is affected by a vulnerability in the Gateway agent’s /reset endpoint, prior to version 2026.3.23. The flaw grants callers with operator.write permission the ability to reset admin sessions by invoking /reset or /new with an explicit sessionKey, bypassing operator.admin requirements and ...

8.1CVSS5.9AI score0.00272EPSS
Exploits0References4Affected Software1
EUVD
EUVDadded 2026/04/10 4:3 p.m.3 views

EUVD-2026-21466

OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey ...

8.1CVSS5.9AI score0.00272EPSS
Exploits0References4
Vulnrichment
Vulnrichmentadded 2026/04/10 4:3 p.m.3 views

CVE-2026-35660 OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset

OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey ...

8.1CVSS5.9AI score0.00272EPSS
Exploits0References4
Cvelist
Cvelistadded 2026/04/10 4:3 p.m.21 views

CVE-2026-35657 OpenClaw < 2026.3.25 - Authorization Bypass in HTTP Session History Route

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint...

7.1CVSS0.00232EPSS
Exploits0References3
EUVD
EUVDadded 2026/04/10 4:3 p.m.3 views

EUVD-2026-21460

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint...

7.1CVSS5.8AI score0.00232EPSS
Exploits0References3
ATTACKERKB
ATTACKERKBadded 2026/04/10 4:3 p.m.1 views

CVE-2026-35657

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint...

7.1CVSS5.8AI score0.00232EPSS
Exploits0References4
Vulnrichment
Vulnrichmentadded 2026/04/10 4:3 p.m.4 views

CVE-2026-35657 OpenClaw < 2026.3.25 - Authorization Bypass in HTTP Session History Route

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint...

7.1CVSS5.8AI score0.00232EPSS
Exploits0References3
CVE
CVEadded 2026/04/10 4:3 p.m.12 views

CVE-2026-35657

OpenClaw is affected by an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history endpoint, present in versions before 2026.3.25. The issue allows access to session history without proper operator.read permissions by bypassing scope validation. Attackers can exploit this via...

7.1CVSS5.8AI score0.00232EPSS
Exploits0References3Affected Software1
Cvelist
Cvelistadded 2026/04/10 4:3 p.m.25 views

CVE-2026-35653 OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...

8.1CVSS0.006EPSS
Exploits1References4
EUVD
EUVDadded 2026/04/10 4:3 p.m.2 views

EUVD-2026-21452

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...

8.1CVSS5.8AI score0.006EPSS
Exploits1References4
ATTACKERKB
ATTACKERKBadded 2026/04/10 4:3 p.m.3 views

CVE-2026-35653

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...

8.1CVSS5.8AI score0.006EPSS
Exploits1References5
CVE
CVEadded 2026/04/10 4:3 p.m.7 views

CVE-2026-35653

OpenClaw prior to 2026.3.24 contains an incorrect authorization flaw in POST /reset-profile. Authenticated callers with operator.write access to browser.request can bypass profile mutation restrictions, potentially stopping the running browser, closing Playwright connections, and moving profile d...

8.1CVSS5.8AI score0.006EPSS
Exploits1References4Affected Software1
EUVD
EUVDadded 2026/04/10 4:3 p.m.5 views

EUVD-2026-21432

OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce...

5.4CVSS5.9AI score0.00442EPSS
Exploits1References6
ATTACKERKB
ATTACKERKBadded 2026/04/10 4:3 p.m.2 views

CVE-2026-35621

OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal...

7.1CVSS5.8AI score0.00264EPSS
Exploits1References3
ATTACKERKB
ATTACKERKBadded 2026/04/10 4:3 p.m.3 views

CVE-2026-35620

OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce...

5.4CVSS5.9AI score0.00442EPSS
Exploits1References7
Vulnrichment
Vulnrichmentadded 2026/04/10 4:3 p.m.1 views

CVE-2026-35620 OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands

OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce...

5.4CVSS5.9AI score0.00442EPSS
Exploits1References6
Rows per page
Query Builder