Lucene search
K

348 matches found

Cvelist
Cvelist
added 2026/03/12 12:2 p.m.27 views

CVE-2026-4039 OpenClaw Skill Env applySkillConfigenvOverrides code injection

A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1...

6.5CVSS0.00316EPSS
Exploits0References7
OSV
OSV
added 2026/03/12 12:2 p.m.4 views

CVE-2026-4039 OpenClaw Skill Env applySkillConfigenvOverrides code injection

A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1...

5.3CVSS6.4AI score0.00316EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/03/12 12:2 p.m.2 views

CVE-2026-4039 OpenClaw Skill Env applySkillConfigenvOverrides code injection

A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1...

6.5CVSS5.7AI score0.00316EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/03/12 12:2 p.m.10 views

CVE-2026-4039

A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1...

6.5CVSS5.7AI score0.00316EPSS
Exploits0References8
CVE
CVE
added 2026/03/12 12:2 p.m.18 views

CVE-2026-4039

Summary: CVE-2026-4039 affects OpenClaw 2026.2.19-2, specifically the Skill Env Handler’s function applySkillConfigenvOverrides, allowing remote code injection via manipulated environment configuration. A fix is published and the advisory notes upgrading to 2026.2.21-beta.1 (patch 8c9f35cdb51692b...

8.8CVSS5.7AI score0.00316EPSS
Exploits0References7Affected Software1
Packet Storm News
Packet Storm News
added 2026/03/10 12:0 a.m.2 views

Execution Is the New Attack Surface: Survivability-Aware Agentic Crypto Trading with OpenClaw-Style Local Executors

OpenClaw-style agent stacks turn language into privileged execution: LLM intents flow through tool interception, policy gates, and a local executor. In parallel, skill marketplaces such as skills.sh make capability acquisition as easy as installing skills and CLIs, creating a growing capability...

5.9AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/07 1:44 a.m.4 views

CVE-2026-28457

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring must be enabled that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences...

7.9CVSS5.8AI score0.00134EPSS
Exploits0References1
NVD
NVD
added 2026/03/05 10:16 p.m.5 views

CVE-2026-28457

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring must be enabled that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences...

7.9CVSS0.00134EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/05 9:59 p.m.28 views

CVE-2026-28457 OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring must be enabled that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences...

6.1CVSS0.00134EPSS
Exploits0References3
OSV
OSV
added 2026/03/05 9:59 p.m.4 views

CVE-2026-28457 OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring must be enabled that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences...

5.6CVSS6AI score0.00134EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/05 9:59 p.m.0 views

CVE-2026-28457 OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring must be enabled that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences...

6.1CVSS5.8AI score0.00134EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/05 9:59 p.m.7 views

EUVD-2026-9905

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring must be enabled that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences...

5.6CVSS5.9AI score0.00134EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/03 10:13 p.m.3 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the autoAllowSkills process. An attacker can execute unauthorized skills without operator approval by exploiting a skill-name collision when autoAllowSkills is...

7.3CVSS5.9AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/03 10:13 p.m.11 views

OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt

Summary In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skil...

6AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/03 10:13 p.m.4 views

GHSA-7FF8-XJH3-MGH6 OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt

Summary In openclaw versions up to and including 2026.2.22-2, a non-default exec-approval configuration could allow a skill-name collision to bypass an ask=on-miss prompt. When autoAllowSkills=true, a path-scoped executable such as ./skill-bin could resolve to basename skill-bin, satisfy the skil...

7.3CVSS6AI score
Exploits0References3
OSV
OSV
added 2026/03/03 9:32 p.m.4 views

GHSA-77HF-7FQF-F227 OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS)

Summary The tar.bz2 installer path in src/agents/skills-install-download.ts used shell tar preflight/extract logic that did not share the same hardening guarantees as the centralized archive extractor. This allowed crafted .tar.bz2 archives to bypass special-entry blocking and extracted-size...

5.5CVSS6AI score0.00132EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/02 10:51 p.m.11 views

OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace

Overview In affected versions, OpenClaw’s sandbox skill mirroring used the skill’s frontmatter name as part of the destination path when copying skills into the sandbox workspace. A crafted skill name containing traversal segments for example ../ or an absolute path could cause the copy to write...

7.9CVSS5.9AI score0.00134EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/03/02 10:51 p.m.2 views

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the sandbox skill mirroring command. An attacker can cause files to be written outside the intended workspace by supplying a crafted skill package with traversal...

7.9CVSS6.2AI score0.00134EPSS
Exploits0References2
OSV
OSV
added 2026/03/02 10:51 p.m.3 views

GHSA-XW4P-PW82-HQR7 OpenClaw's sandbox skill mirroring path traversal vulnerability could write outside the sandbox workspace

Overview In affected versions, OpenClaw’s sandbox skill mirroring used the skill’s frontmatter name as part of the destination path when copying skills into the sandbox workspace. A crafted skill name containing traversal segments for example ../ or an absolute path could cause the copy to write...

7.1CVSS5.9AI score0.00134EPSS
Exploits0References5
CNVD
CNVD
added 2026/03/02 12:0 a.m.3 views

OpenClaw has an unspecified vulnerability (CNVD-2026-13377)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an unspecified vulnerability that stems from insufficient validation of the targetDir value during download skill installation, which can be exploited by an attacker to cause files to be written outsid...

6.8CVSS5.8AI score0.00166EPSS
Exploits0References1
Rows per page
Query Builder