Known Vulnerabilities for products from Openclaw
Listed below are 20 of the newest known vulnerabilities associated with the vendor "Openclaw".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-34510 | Not Provided | 2026-04-01 | 2026-04-01 | |
| CVE-2026-34506 | OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthori... | Not Provided | 2026-03-31 | 2026-04-01 |
| CVE-2026-34505 | Not Provided | 2026-03-31 | 2026-03-31 | |
| CVE-2026-34504 | Not Provided | 2026-03-31 | 2026-03-31 | |
| CVE-2026-34503 | Not Provided | 2026-03-31 | 2026-03-31 | |
| CVE-2026-33581 | OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary... | Not Provided | 2026-03-31 | 2026-04-01 |
| CVE-2026-33580 | OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that al... | Not Provided | 2026-03-31 | 2026-04-01 |
| CVE-2026-33579 | OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forwa... | Not Provided | 2026-03-31 | 2026-04-01 |
| CVE-2026-33578 | OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where rout... | Not Provided | 2026-03-31 | 2026-04-01 |
| CVE-2026-33577 | Not Provided | 2026-03-31 | 2026-04-01 | |
| CVE-2026-33576 | OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unaut... | Not Provided | 2026-03-31 | 2026-04-01 |
| CVE-2026-33575 | OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair end... | Not Provided | 2026-03-29 | 2026-03-30 |
| CVE-2026-33574 | OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools ro... | Not Provided | 2026-03-29 | 2026-03-31 |
| CVE-2026-33573 | OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated o... | Not Provided | 2026-03-29 | 2026-03-30 |
| CVE-2026-33572 | OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users ... | Not Provided | 2026-03-29 | 2026-03-31 |
| CVE-2026-32987 | OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-... | Not Provided | 2026-03-29 | 2026-03-31 |
| CVE-2026-32980 | OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-t... | Not Provided | 2026-03-29 | 2026-03-31 |
| CVE-2026-32979 | OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by ... | Not Provided | 2026-03-29 | 2026-03-30 |
| CVE-2026-32978 | OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file o... | Not Provided | 2026-03-29 | 2026-03-30 |
| CVE-2026-32975 | OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group d... | Not Provided | 2026-03-29 | 2026-03-30 |