CVE-2026-41391

CVE-2026-41391 affects the OpenClaw project. OpenClaw before 2026.3.31 fails to sanitize PIP_INDEX_URL and UV_INDEX_URL in host execution contexts, enabling attackers to redirect Python package-index traffic by injecting malicious index URLs through unsanitized environment variables. The issue is...

GHSA-CW28-63X4-37C3 Duplicate Advisory: OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-89r3-6x4j-v7wf. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows...

CVE-2026-41352 OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass

OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation...

CVE-2026-41348 OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted...

CVE-2026-41347 OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints

OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized...

CVE-2026-41337

OpenClaw before version 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay. Attackers who have captured valid live-call callbacks can mutate the in‑process callback origin during the replay process, enabling manipulation of callback origins. The CVE entry lists...

CVE-2026-41329 OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation

OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privile...

EUVD-2026-24000

OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files...

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch process in the marketplace plugin. An attacker can access internal network resources or sensitive information by supplying crafted URLs that...

OpenClaw: Discord Slash Commands Bypass Group DM Channel Allowlist

Summary Discord Slash Commands Bypass Group DM Channel Allowlist Current Maintainer Triage - Status: narrow - Normalized severity: moderate - Assessment: v2026.3.28 native Discord slash and autocomplete paths still skip the group-DM allowlist, but impact is limited to already-authorized Discord...

OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders

Summary Telegram audio preflight transcription enables resource consumption by unauthorized senders Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still lets unauthorized Telegram group senders trigger audio preflight before allowlist enforcement...

OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile

Summary Sandbox escape via TOCTOU race in remote FS bridge readFile Current Maintainer Triage - Normalized severity: critical - Assessment: v2026.3.28 remote sandbox reads still do path-check then separate file read, so the TOCTOU sandbox escape remains present in the latest shipped tag. Affected...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the voice-call process. An attacker can cause excessive resource consumption by sending oversized WebSocket frames before validati...

GHSA-G8XP-QX39-9JQ9 OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides

Summary Incomplete host-env-security-policy.json allows untrusted model to substitute compiler binaries CC, CXX, CARGOBUILDRUSTC, CMAKECCOMPILER via env overrides on approved host exec requests Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Shipped v2026.3....

Replay Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Replay Attack via the webhook signature verification process. An attacker can bypass replay detection by submitting requests with equivalent Base64 and Base64URL-encoded signatures, causi...

OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding

Summary Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped v2026.3.28 replay hashing treated equivalent Telnyx Base64/Base64URL signatures as distinct requests, but signature...

OpenClaw runs Discord audio preflight transcription before member authorization

Summary Discord audio preflight transcription before member authorization Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: v2026.3.28 still runs Discord audio preflight before member allowlist rejection, but this is the same pre-auth resource-consumption clas...

OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion

Summary MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still parses Teams JSON after only a Bearer-prefix gate and before real JWT validation, and the...

GHSA-CWF8-44X6-32C2 OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal

Summary OpenShell Mirror Sync: Sandbox Escape via Unrestricted File Sync + Symlink Traversal Current Maintainer Triage - Status: narrow - Normalized severity: high - Assessment: v2026.3.28 still has the mirror-boundary bug because shipped c02ee8 only excluded hooks while unreleased 3b9dab is the...

OpenClaw: Workspace `.env` can override the bundled plugin trust root

Summary Workspace .env can override the bundled plugin trust root Current Maintainer Triage - Status: open - Normalized severity: high - Assessment: v2026.3.28 still lets workspace .env override OPENCLAWBUNDLEDPLUGINSDIR, but critical is too high because exploitation still depends on...