Known Vulnerabilities for products from OpenClaw

Listed below are 20 of the newest known vulnerabilities associated with the vendor "OpenClaw".

These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.

Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.

Known Vulnerabilities

CVE Shortened Description Severity Publish Date Last Modified
CVE-2026-53866 json Not Provided 2026-06-16 2026-06-18
CVE-2026-53865 json Not Provided 2026-06-16 2026-06-18
CVE-2026-53864 json OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows N... Not Provided 2026-06-16 2026-06-18
CVE-2026-53863 json OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated gro... Not Provided 2026-06-16 2026-06-17
CVE-2026-53862 json OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse... Not Provided 2026-06-16 2026-06-17
CVE-2026-53861 json Not Provided 2026-06-16 2026-06-18
CVE-2026-53860 json OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allow... Not Provided 2026-06-16 2026-06-17
CVE-2026-53859 json OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons usi... Not Provided 2026-06-16 2026-06-17
CVE-2026-53858 json OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could ... Not Provided 2026-06-16 2026-06-18
CVE-2026-53857 json OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could ... Not Provided 2026-06-16 2026-06-18
CVE-2026-53856 json OpenClaw 2026.4.23 before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores Open... Not Provided 2026-06-16 2026-06-18
CVE-2026-53855 json OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allow... Not Provided 2026-06-16 2026-06-18
CVE-2026-53854 json OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that a... Not Provided 2026-06-16 2026-06-18
CVE-2026-53853 json OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execu... Not Provided 2026-06-16 2026-06-18
CVE-2026-53852 json OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated op... Not Provided 2026-06-16 2026-06-17
CVE-2026-53851 json OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipe... Not Provided 2026-06-16 2026-06-17
CVE-2026-53850 json OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenti... Not Provided 2026-06-16 2026-06-17
CVE-2026-53849 json OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Disco... Not Provided 2026-06-16 2026-06-18
CVE-2026-53848 json OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper... Not Provided 2026-06-16 2026-06-17
CVE-2026-53847 json OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway o... Not Provided 2026-06-16 2026-06-17
Results limited to 20 most recent vulnerabilities
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report