CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

42 matches found

CVE-2026-45374

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the taskcreate tool spawns durable sub-agents that inherit two insecure defaults, allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue and autoapprove defaults to true taskmanager.rs:297: autoapprove:...

9.6CVSS5.8AI score0.00045EPSS

Exploits0References1

EUVD•added 2026/05/11 6:31 p.m.•3 views

EUVD-2026-29142

OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that...

4.3CVSS5.8AI score0.00028EPSS

Exploits0References4

OSV•added 2026/05/11 6:31 p.m.•4 views

GHSA-W626-296M-8F85 Duplicate Advisory: OpenClaw's ACP child sessions inherit subagent security envelope constraints

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q3jj-46pq-826r. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents ...

4.3CVSS5.7AI score0.00028EPSS

Exploits0References5

Github Security Blog•added 2026/05/11 6:31 p.m.•7 views

Duplicate Advisory: OpenClaw's ACP child sessions inherit subagent security envelope constraints

4.3CVSS5.7AI score0.00028EPSS

Exploits0References5Affected Software1

NVD•added 2026/05/11 6:16 p.m.•6 views

CVE-2026-44997

4.3CVSS0.00028EPSS

Exploits0References3

Vulnrichment•added 2026/05/11 4:46 p.m.•4 views

CVE-2026-44997 OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions

4.3CVSS5.8AI score0.00028EPSS

Exploits0References3

ATTACKERKB•added 2026/05/11 4:46 p.m.•2 views

CVE-2026-44997

4.3CVSS5.8AI score0.00028EPSS

Exploits0References4

Cvelist•added 2026/05/11 4:46 p.m.•28 views

CVE-2026-44997 OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions

4.3CVSS0.00028EPSS

Exploits0References3

CVE•added 2026/05/11 4:46 p.m.•6 views

CVE-2026-44997

OpenClaw before 2026.4.22 is affected by a security envelope constraint bypass in ACP child sessions. The vulnerability allows restricted subagents to spawn ACP child sessions that do not inherit depth, child-count limits, control scope, or target-agent restrictions, potentially enabling privileg...

4.3CVSS5.8AI score0.00028EPSS

Exploits0References3Affected Software1

Positive Technologies•added 2026/05/11 12:0 a.m.•6 views

PT-2026-39686

4.3CVSS5.8AI score0.00028EPSS

Exploits0References4

Vulnrichment•added 2026/04/20 11:8 p.m.•3 views

CVE-2026-41298 OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint

OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by sending requests to this endpoint, bypassing authorization controls...

5.4CVSS5.8AI score0.00034EPSS

Exploits0References3

Vulnrichment•added 2026/04/10 4:3 p.m.•2 views

CVE-2026-35662 OpenClaw < 2026.3.22 - Missing controlScope Enforcement in Send Action

OpenClaw before 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing leaf subagents to message controlled child sessions beyond their authorized scope. Attackers can exploit this by using the send action to communicate with child sessions without proper scope...

5.3CVSS5.8AI score0.00036EPSS

Exploits0References4

Cvelist•added 2026/04/10 4:3 p.m.•20 views

CVE-2026-35662 OpenClaw < 2026.3.22 - Missing controlScope Enforcement in Send Action

5.3CVSS0.00036EPSS

Exploits0References4

EUVD•added 2026/04/10 4:3 p.m.•3 views

EUVD-2026-21470

5.3CVSS5.8AI score0.00036EPSS

Exploits0References4

ATTACKERKB•added 2026/04/10 4:3 p.m.•2 views

CVE-2026-35662

5.3CVSS5.8AI score0.00036EPSS

Exploits0References5

Positive Technologies•added 2026/04/10 12:0 a.m.•3 views

PT-2026-31973

5.3CVSS5.8AI score0.00036EPSS

Exploits0References5

OSV•added 2026/03/29 3:30 p.m.•1 views

GHSA-HH43-Q692-2XMQ Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wcxr-59v9-rxr8. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the sessionstatus tool that allows...

9.2CVSS5.9AI score0.00015EPSS

Exploits0References4

EUVD•added 2026/03/29 3:30 p.m.•0 views

EUVD-2026-16999

OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the sessionstatus tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including...

9.2CVSS6AI score0.00015EPSS

Exploits0References3

EUVD•added 2026/03/29 3:30 p.m.•2 views

EUVD-2026-16997

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability allowing leaf subagents to access the subagents control surface and resolve against parent requester scope instead of their own session tree. A low-privilege sandboxed leaf worker can steer or kill sibling runs and cause...

9.3CVSS6.1AI score0.00006EPSS

Exploits0References3

Github Security Blog•added 2026/03/29 3:30 p.m.•3 views

Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state

9.2CVSS5.9AI score0.00015EPSS

Exploits0References4Affected Software1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by