Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/955366?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/955366?format=api", "purl": "pkg:npm/clawdbot@2026.1.24-2", "type": "npm", "namespace": "", "name": "clawdbot", "version": "2026.1.24-2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50204?format=api", "vulnerability_id": "VCID-3m66-j8ru-gkhq", "summary": "OpenClaw affected by denial of service via unbounded webhook request body buffering\nMultiple webhook handlers accepted and buffered request bodies without a strict unified byte/time limit. A remote unauthenticated attacker could send oversized payloads and cause memory pressure, degrading availability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28478", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34144", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34184", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34217", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00142", "scoring_system": "epss", "scoring_elements": "0.34202", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28478" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28478", "reference_id": "CVE-2026-28478", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28478" }, { "reference_url": "https://github.com/advisories/GHSA-q447-rj3r-2cgh", "reference_id": "GHSA-q447-rj3r-2cgh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q447-rj3r-2cgh" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh", "reference_id": "GHSA-q447-rj3r-2cgh", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:11:57Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q447-rj3r-2cgh" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering", "reference_id": "openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:11:57Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unbounded-webhook-request-body-buffering" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/514731?format=api", "purl": "pkg:npm/clawdbot@2026.1.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7tn-g117-nqem" }, { "vulnerability": "VCID-dknh-z9pk-nygt" }, { "vulnerability": "VCID-f4hw-931n-zqh9" }, { "vulnerability": "VCID-fhr3-r8sj-ufes" }, { "vulnerability": "VCID-uh81-k39y-q7fq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24" } ], "aliases": [ "CVE-2026-28478", "GHSA-q447-rj3r-2cgh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3m66-j8ru-gkhq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50202?format=api", "vulnerability_id": "VCID-6xkm-ym55-2yfp", "summary": "OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks\nBase64-backed media inputs could be decoded into Buffers before enforcing decoded-size budgets. An attacker supplying oversized base64 payloads can force large allocations, causing memory pressure and denial of service.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29612", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0017", "scoring_system": "epss", "scoring_elements": "0.37988", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0017", "scoring_system": "epss", "scoring_elements": "0.37922", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0017", "scoring_system": "epss", "scoring_elements": "0.37956", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0017", "scoring_system": "epss", "scoring_elements": "0.37985", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29612" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:15:38Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/31791233d60495725fa012745dde8d6ee69e9595" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:15:38Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-large-base-media-file-decoding" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29612", "reference_id": "CVE-2026-29612", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29612" }, { "reference_url": "https://github.com/advisories/GHSA-w2cg-vxx6-5xjg", "reference_id": "GHSA-w2cg-vxx6-5xjg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w2cg-vxx6-5xjg" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg", "reference_id": "GHSA-w2cg-vxx6-5xjg", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:15:38Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w2cg-vxx6-5xjg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/514731?format=api", "purl": "pkg:npm/clawdbot@2026.1.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7tn-g117-nqem" }, { "vulnerability": "VCID-dknh-z9pk-nygt" }, { "vulnerability": "VCID-f4hw-931n-zqh9" }, { "vulnerability": "VCID-fhr3-r8sj-ufes" }, { "vulnerability": "VCID-uh81-k39y-q7fq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24" } ], "aliases": [ "CVE-2026-29612", "GHSA-w2cg-vxx6-5xjg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6xkm-ym55-2yfp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50199?format=api", "vulnerability_id": "VCID-73gk-ecqv-tyej", "summary": "OpenClaw Telegram allowlist authorization accepted mutable usernames\nTelegram allowlist authorization could match on `@username` (mutable/recyclable) instead of immutable numeric sender IDs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28480", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.1391", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13994", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.14031", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28480" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:58:43Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/9e147f00b48e63e7be6964e0e2a97f2980854128" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:58:43Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/e3b432e481a96b8fd41b91273818e514074e05c3" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:58:43Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-mutable-username-in-telegram-allowlist-authorization" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28480", "reference_id": "CVE-2026-28480", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28480" }, { "reference_url": "https://github.com/advisories/GHSA-mj5r-hh7j-4gxf", "reference_id": "GHSA-mj5r-hh7j-4gxf", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mj5r-hh7j-4gxf" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf", "reference_id": "GHSA-mj5r-hh7j-4gxf", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T20:58:43Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mj5r-hh7j-4gxf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/514731?format=api", "purl": "pkg:npm/clawdbot@2026.1.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7tn-g117-nqem" }, { "vulnerability": "VCID-dknh-z9pk-nygt" }, { "vulnerability": "VCID-f4hw-931n-zqh9" }, { "vulnerability": "VCID-fhr3-r8sj-ufes" }, { "vulnerability": "VCID-uh81-k39y-q7fq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24" } ], "aliases": [ "CVE-2026-28480", "GHSA-mj5r-hh7j-4gxf" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-73gk-ecqv-tyej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50188?format=api", "vulnerability_id": "VCID-8bxj-nx1j-efc9", "summary": "OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)\nArchive extraction lacked strict resource budgets, allowing high-expansion ZIP/TAR archives to consume excessive CPU/memory/disk during install/update flows.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28452", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00148", "scoring_system": "epss", "scoring_elements": "0.35023", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00148", "scoring_system": "epss", "scoring_elements": "0.34949", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00148", "scoring_system": "epss", "scoring_elements": "0.34986", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00148", "scoring_system": "epss", "scoring_elements": "0.35007", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28452" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T16:54:56Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/5f4b29145c236d124524c2c9af0f8acd048fbdea" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T16:54:56Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/d3ee5deb87ee2ad0ab83c92c365611165423cb71" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unguarded-archive-extraction-in-extractarchive", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T16:54:56Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unguarded-archive-extraction-in-extractarchive" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28452", "reference_id": "CVE-2026-28452", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28452" }, { "reference_url": "https://github.com/advisories/GHSA-h89v-j3x9-8wqj", "reference_id": "GHSA-h89v-j3x9-8wqj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h89v-j3x9-8wqj" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj", "reference_id": "GHSA-h89v-j3x9-8wqj", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "6.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T16:54:56Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h89v-j3x9-8wqj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/514731?format=api", "purl": "pkg:npm/clawdbot@2026.1.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7tn-g117-nqem" }, { "vulnerability": "VCID-dknh-z9pk-nygt" }, { "vulnerability": "VCID-f4hw-931n-zqh9" }, { "vulnerability": "VCID-fhr3-r8sj-ufes" }, { "vulnerability": "VCID-uh81-k39y-q7fq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24" } ], "aliases": [ "CVE-2026-28452", "GHSA-h89v-j3x9-8wqj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8bxj-nx1j-efc9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50205?format=api", "vulnerability_id": "VCID-ack4-vu5k-muaj", "summary": "OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints\nBrowser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26317", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05789", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05833", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05831", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0584", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26317" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:31Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:31Z/" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26317", "reference_id": "CVE-2026-26317", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26317" }, { "reference_url": "https://github.com/advisories/GHSA-3fqr-4cg8-h96q", "reference_id": "GHSA-3fqr-4cg8-h96q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3fqr-4cg8-h96q" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q", "reference_id": "GHSA-3fqr-4cg8-h96q", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:31Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/514731?format=api", "purl": "pkg:npm/clawdbot@2026.1.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7tn-g117-nqem" }, { "vulnerability": "VCID-dknh-z9pk-nygt" }, { "vulnerability": "VCID-f4hw-931n-zqh9" }, { "vulnerability": "VCID-fhr3-r8sj-ufes" }, { "vulnerability": "VCID-uh81-k39y-q7fq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24" } ], "aliases": [ "CVE-2026-26317", "GHSA-3fqr-4cg8-h96q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ack4-vu5k-muaj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49930?format=api", "vulnerability_id": "VCID-c7tn-g117-nqem", "summary": "OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand\nTwo related vulnerabilities existed in the macOS application's SSH remote connection handling (`CommandResolver.swift`):", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25157", "reference_id": "", "reference_type": "", "scores": [ { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00445", "published_at": "2026-06-05T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00759", "published_at": "2026-06-08T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00764", "published_at": "2026-06-07T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00767", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25157" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25157", "reference_id": "CVE-2026-25157", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25157" }, { "reference_url": "https://github.com/advisories/GHSA-q284-4pvr-m585", "reference_id": "GHSA-q284-4pvr-m585", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q284-4pvr-m585" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585", "reference_id": "GHSA-q284-4pvr-m585", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:09Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73774?format=api", "purl": "pkg:npm/clawdbot@2026.1.29", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.29" } ], "aliases": [ "CVE-2026-25157", "GHSA-q284-4pvr-m585" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c7tn-g117-nqem" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49956?format=api", "vulnerability_id": "VCID-dknh-z9pk-nygt", "summary": "OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl\nThe Control UI trusts `gatewayUrl` from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload.\n\nClicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim's local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE. This vulnerability is exploitable even on instances configured to listen on loopback only, since the victim's browser initiates the outbound connection.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25253", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30653", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30685", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30718", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30752", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25253" }, { "reference_url": "https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T14:36:53Z/" } ], "url": "https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://openclaw.ai/blog", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T14:36:53Z/" } ], "url": "https://openclaw.ai/blog" }, { "reference_url": "https://x.com/0xacb/status/2016913750557651228", "reference_id": "2016913750557651228", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T14:36:53Z/" } ], "url": "https://x.com/0xacb/status/2016913750557651228" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253", "reference_id": "CVE-2026-25253", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253" }, { "reference_url": "https://github.com/advisories/GHSA-g8p2-7wf7-98mq", "reference_id": "GHSA-g8p2-7wf7-98mq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g8p2-7wf7-98mq" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq", "reference_id": "GHSA-g8p2-7wf7-98mq", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T14:36:53Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq" }, { "reference_url": "https://ethiack.com/news/blog/one-click-rce-moltbot", "reference_id": "one-click-rce-moltbot", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-03T14:36:53Z/" } ], "url": "https://ethiack.com/news/blog/one-click-rce-moltbot" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73774?format=api", "purl": "pkg:npm/clawdbot@2026.1.29", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.29" } ], "aliases": [ "CVE-2026-25253", "GHSA-g8p2-7wf7-98mq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dknh-z9pk-nygt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49947?format=api", "vulnerability_id": "VCID-f4hw-931n-zqh9", "summary": "OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable\nA Command Injection vulnerability existed in Clawdbot’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands.\n\nAn authenticated user able to control environment variables could influence command execution within the container context.\nThis issue has been fixed and regression tests have been added to prevent reintroduction.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24763", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.2748", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27616", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27566", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00102", "scoring_system": "epss", "scoring_elements": "0.27529", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24763" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T15:54:31Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.1.29", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T15:54:31Z/" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.1.29" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24763", "reference_id": "CVE-2026-24763", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24763" }, { "reference_url": "https://github.com/advisories/GHSA-mc68-q9jw-2h3v", "reference_id": "GHSA-mc68-q9jw-2h3v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mc68-q9jw-2h3v" }, { "reference_url": "https://github.com/clawdbot/clawdbot/security/advisories/GHSA-mc68-q9jw-2h3v", "reference_id": "GHSA-mc68-q9jw-2h3v", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/clawdbot/clawdbot/security/advisories/GHSA-mc68-q9jw-2h3v" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v", "reference_id": "GHSA-mc68-q9jw-2h3v", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T15:54:31Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73774?format=api", "purl": "pkg:npm/clawdbot@2026.1.29", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.29" } ], "aliases": [ "CVE-2026-24763", "GHSA-mc68-q9jw-2h3v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f4hw-931n-zqh9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50211?format=api", "vulnerability_id": "VCID-fhr3-r8sj-ufes", "summary": "OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities\nUnder iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26328", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02183", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02197", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02216", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02209", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26328" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:05Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:05Z/" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26328", "reference_id": "CVE-2026-26328", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26328" }, { "reference_url": "https://github.com/advisories/GHSA-g34w-4xqq-h79m", "reference_id": "GHSA-g34w-4xqq-h79m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g34w-4xqq-h79m" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m", "reference_id": "GHSA-g34w-4xqq-h79m", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-20T15:27:05Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74121?format=api", "purl": "pkg:npm/clawdbot@2026.2.14", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.2.14" } ], "aliases": [ "CVE-2026-26328", "GHSA-g34w-4xqq-h79m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fhr3-r8sj-ufes" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50193?format=api", "vulnerability_id": "VCID-jekq-y7ju-hfdc", "summary": "OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting\nWhen multiple Google Chat webhook targets are registered on the same HTTP path, and request verification succeeds for more than one target, inbound webhook events could be routed by first-match semantics. This can cause cross-account policy/context misrouting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28469", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13046", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.12958", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13084", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13081", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28469" }, { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:01:17Z/" } ], "url": "https://github.com/openclaw/openclaw/commit/61d59a802869177d9cef52204767cd83357ab79e" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:01:17Z/" } ], "url": "https://www.vulncheck.com/advisories/openclaw-cross-account-policy-context-misrouting-via-shared-webhook-path-ambiguity" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28469", "reference_id": "CVE-2026-28469", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28469" }, { "reference_url": "https://github.com/advisories/GHSA-rq6g-px6m-c248", "reference_id": "GHSA-rq6g-px6m-c248", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rq6g-px6m-c248" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248", "reference_id": "GHSA-rq6g-px6m-c248", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-09T18:01:17Z/" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rq6g-px6m-c248" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/514731?format=api", "purl": "pkg:npm/clawdbot@2026.1.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7tn-g117-nqem" }, { "vulnerability": "VCID-dknh-z9pk-nygt" }, { "vulnerability": "VCID-f4hw-931n-zqh9" }, { "vulnerability": "VCID-fhr3-r8sj-ufes" }, { "vulnerability": "VCID-uh81-k39y-q7fq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24" } ], "aliases": [ "CVE-2026-28469", "GHSA-rq6g-px6m-c248" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jekq-y7ju-hfdc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50148?format=api", "vulnerability_id": "VCID-nu42-52us-v7gp", "summary": "OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch\nGoogle Chat allowlisting supports matching by sender email in addition to immutable sender resource name (`users/<id>`). This weakens identity binding if a deployment assumes allowlists are strictly keyed by immutable principals.", "references": [ { "reference_url": "https://github.com/openclaw/openclaw", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw" }, { "reference_url": "https://github.com/openclaw/openclaw/commit/c8424bf29a921e25663b29f308640b3d91a49432", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/commit/c8424bf29a921e25663b29f308640b3d91a49432" }, { "reference_url": "https://github.com/openclaw/openclaw/pull/16243", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/pull/16243" }, { "reference_url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.14" }, { "reference_url": "https://github.com/advisories/GHSA-chm2-m3w2-wcxm", "reference_id": "GHSA-chm2-m3w2-wcxm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-chm2-m3w2-wcxm" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm", "reference_id": "GHSA-chm2-m3w2-wcxm", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chm2-m3w2-wcxm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/514731?format=api", "purl": "pkg:npm/clawdbot@2026.1.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-c7tn-g117-nqem" }, { "vulnerability": "VCID-dknh-z9pk-nygt" }, { "vulnerability": "VCID-f4hw-931n-zqh9" }, { "vulnerability": "VCID-fhr3-r8sj-ufes" }, { "vulnerability": "VCID-uh81-k39y-q7fq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24" } ], "aliases": [ "GHSA-chm2-m3w2-wcxm" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nu42-52us-v7gp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49917?format=api", "vulnerability_id": "VCID-uh81-k39y-q7fq", "summary": "Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-g8p2-7wf7-98mq. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.", "references": [ { "reference_url": "https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys" }, { "reference_url": "https://openclaw.ai/blog", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://openclaw.ai/blog" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253", "reference_id": "CVE-2026-25253", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25253" }, { "reference_url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq", "reference_id": "GHSA-g8p2-7wf7-98mq", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq" }, { "reference_url": "https://github.com/advisories/GHSA-r2c6-8jc8-g32w", "reference_id": "GHSA-r2c6-8jc8-g32w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r2c6-8jc8-g32w" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73774?format=api", "purl": "pkg:npm/clawdbot@2026.1.29", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.29" } ], "aliases": [ "GHSA-r2c6-8jc8-g32w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uh81-k39y-q7fq" } ], "fixing_vulnerabilities": [], "risk_score": "4.4", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/clawdbot@2026.1.24-2" }