Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

Github Security Blog
Github Security Blogadded 2026/05/04 4:52 p.m.3 views

OpenClaw: Slack thread context could include messages from non-allowlisted senders

Summary Before OpenClaw 2026.4.2, Slack thread starter and thread-history context fetched through the API was not filtered by the effective sender allowlist. Messages from non-allowlisted senders could still enter the agent context when an allowlisted user replied in the same thread. Impact A Sla...

5.4CVSS5.8AI score0.00017EPSS
Exploits0References5Affected Software1
EUVD
EUVDadded 2026/04/20 11:8 p.m.1 views

EUVD-2026-23995

OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malicious endpoints, disclosing plaintext gateway credentials...

5.9CVSS5.8AI score0.00006EPSS
Exploits0References3
OSV
OSVadded 2026/04/09 5:37 p.m.3 views

GHSA-CCX3-FW7Q-RR2R OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks

Impact Multiple Code Paths Missing Base64 Pre-Allocation Size Checks. Several base64 decode paths could allocate before enforcing decoded-size limits. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service...

5.1CVSS5.8AI score0.00051EPSS
Exploits0References5
OSV
OSVadded 2026/04/07 6:15 p.m.0 views

GHSA-98CH-45WP-CH47 OpenClaw: Windows-compatible env override keys could bypass system.run approval binding

Summary Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time. Impact An approved command could run with...

6.9CVSS6AI score
Exploits0References3
Snyk
Snykadded 2026/04/07 6:15 p.m.2 views

Improper Handling of Case Sensitivity

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to inconsistent normalization of environment override keys between approval binding and execution time. An attacker can inject unauthorized...

7.6CVSS6AI score0.00048EPSS
Exploits0References2
Github Security Blog
Github Security Blogadded 2026/04/04 6:26 a.m.9 views

OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter

Summary Before OpenClaw 2026.4.2, the Gemini OAuth flow reused the PKCE verifier as the OAuth state value. Because the provider reflected state back in the redirect URL, the verifier could be exposed alongside the authorization code. Impact Anyone who could capture the redirect URL could learn bo...

6CVSS6AI score0.00036EPSS
Exploits0References5Affected Software1
Cvelist
Cvelistadded 2026/04/03 8:45 p.m.15 views

CVE-2026-34511 OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter

OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption...

6CVSS0.00036EPSS
Exploits0References3
Rows per page
Query Builder