8 matches found
CVE-2026-6011
A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed...
OpenClaw vulnerable to SSRF in src/agents/tools/web-fetch.ts
A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed...
CVE-2026-6011
A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed...
PT-2026-31871
Name of the Vulnerable Software and Affected Versions OpenClaw versions through 2026.1.26 Description A weakness exists in OpenClaw up to version 2026.1.26, specifically within the assertPublicHostname Handler functionality of the file src/agents/tools/web-fetch.ts. A manipulation can lead to...
OpenClaw OS Command Injection Vulnerability
OpenClaw is openclaw open source an intelligent artificial assistant. An operating system command injection vulnerability exists in versions prior to OpenClaw 2026.1.29, which stems from the sshNodeCommand function failing to properly filter construct command special characters, commands, etc. An...
OpenClaw has an unspecified vulnerability
OpenClaw is openclaw open source an intelligent artificial assistant. A security vulnerability exists in versions prior to OpenClaw 2026.1.29, which originates from automatically establishing a WebSocket connection and sending a token, and can be exploited by an attacker to cause an unauthorized...
CVE-2026-25157
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When th...
CVE-2026-24763
OpenClaw/Docker sandbox: A command injection due to unsafe PATH handling when constructing shell commands. An authenticated user who can influence environment variables could execute commands inside the container context. This was fixed in version 2026.1.29 (prior to that, OpenClaw was vulnerable).