| 0 |
| url |
VCID-1f2r-y41u-y7b4 |
| vulnerability_id |
VCID-1f2r-y41u-y7b4 |
| summary |
OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x |
| reference_id |
GHSA-49cg-279w-m73x |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:19:51Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-49cg-279w-m73x |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.12 |
| purl |
pkg:npm/openclaw@2026.4.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 1 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 2 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 3 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 4 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 5 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 6 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 7 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 8 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 9 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 10 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 11 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 12 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 13 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 14 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 15 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 16 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 17 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 18 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 19 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 20 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 21 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 22 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 23 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 24 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 25 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 26 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 27 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 28 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 29 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 30 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 31 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 32 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 33 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 34 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 35 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 36 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12 |
|
|
| aliases |
CVE-2026-43574, GHSA-49cg-279w-m73x
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1f2r-y41u-y7b4 |
|
| 1 |
| url |
VCID-1kns-bfm7-wqa7 |
| vulnerability_id |
VCID-1kns-bfm7-wqa7 |
| summary |
OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44 |
| reference_id |
GHSA-2cq5-mf3v-mx44 |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T14:31:04Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-2cq5-mf3v-mx44 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.12 |
| purl |
pkg:npm/openclaw@2026.4.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 1 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 2 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 3 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 4 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 5 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 6 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 7 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 8 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 9 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 10 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 11 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 12 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 13 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 14 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 15 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 16 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 17 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 18 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 19 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 20 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 21 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 22 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 23 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 24 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 25 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 26 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 27 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 28 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 29 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 30 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 31 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 32 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 33 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 34 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 35 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 36 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12 |
|
|
| aliases |
CVE-2026-43530, GHSA-2cq5-mf3v-mx44
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1kns-bfm7-wqa7 |
|
| 2 |
| url |
VCID-1qnh-qhcx-63et |
| vulnerability_id |
VCID-1qnh-qhcx-63et |
| summary |
OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.15 |
| purl |
pkg:npm/openclaw@2026.4.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 1 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 2 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 3 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 4 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 5 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 6 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 7 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 8 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 9 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 10 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 11 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 12 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 13 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 14 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 15 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 16 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 17 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 18 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 19 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 20 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 21 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 22 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 23 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15 |
|
|
| aliases |
CVE-2026-44110, GHSA-2gvc-4f3c-2855
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1qnh-qhcx-63et |
|
| 3 |
| url |
VCID-1sxg-r1bm-mygk |
| vulnerability_id |
VCID-1sxg-r1bm-mygk |
| summary |
OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/openclaw/openclaw/commit/2194587d70d2aef863508b945319c5a7c88b12ce |
| reference_id |
2194587d70d2aef863508b945319c5a7c88b12ce |
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:35:12Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/commit/2194587d70d2aef863508b945319c5a7c88b12ce |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-4g5x-2jfc-xm98 |
| reference_id |
GHSA-4g5x-2jfc-xm98 |
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 5 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 6 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:35:12Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-4g5x-2jfc-xm98 |
|
| 6 |
| reference_url |
https://www.vulncheck.com/advisories/openclaw-disk-exhaustion-via-media-download-bypass |
| reference_id |
openclaw-disk-exhaustion-via-media-download-bypass |
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:35:12Z/ |
|
|
| url |
https://www.vulncheck.com/advisories/openclaw-disk-exhaustion-via-media-download-bypass |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41408, GHSA-4g5x-2jfc-xm98
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1sxg-r1bm-mygk |
|
| 4 |
| url |
VCID-1wqp-rrgy-4ffe |
| vulnerability_id |
VCID-1wqp-rrgy-4ffe |
| summary |
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41356, GHSA-rfqg-qgf8-xr9x
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
4.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1wqp-rrgy-4ffe |
|
| 5 |
| url |
VCID-24x5-nkt2-wbg7 |
| vulnerability_id |
VCID-24x5-nkt2-wbg7 |
| summary |
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2 |
| reference_id |
GHSA-82qx-6vj7-p8m2 |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T11:54:14Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-43571, GHSA-82qx-6vj7-p8m2
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-24x5-nkt2-wbg7 |
|
| 6 |
| url |
VCID-27ud-w29j-cbeq |
| vulnerability_id |
VCID-27ud-w29j-cbeq |
| summary |
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence
## Summary
Nostr profile mutation routes allowed operator.write config persistence.
## Affected Packages / Versions
- Package: `openclaw`
- Ecosystem: npm
- Affected versions: `< 2026.4.10`
- Patched versions: `>= 2026.4.10`
## Impact
Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin authority.
## Technical Details
The fix requires `operator.admin` scope for Nostr profile mutation routes.
## Fix
The issue was fixed in #63553. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.
## Fix Commit(s)
- `6517c700de9bb0ee11b41ab625ef3b63d01b6083`
- PR: #63553
## Release Process Note
Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.
## Credits
Thanks to @zpbrent and @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
GHSA-f3h5-h452-vp3j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-27ud-w29j-cbeq |
|
| 7 |
| url |
VCID-2d5p-gd51-3bfc |
| vulnerability_id |
VCID-2d5p-gd51-3bfc |
| summary |
OpenClaw before 2026.4.4 contains a race condition vulnerability in shared-secret authentication that allows concurrent asynchronous requests to bypass the per-key rate-limit budget. Attackers can exploit this by sending multiple simultaneous authentication attempts to circumvent intended rate-limiting protections on Tailscale-capable paths. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-25wv-8phj-8p7r |
| reference_id |
GHSA-25wv-8phj-8p7r |
| reference_type |
|
| scores |
| 0 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:46:26Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-25wv-8phj-8p7r |
|
| 6 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/openclaw@2026.4.5 |
| purl |
pkg:npm/openclaw@2026.4.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 11 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 12 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 13 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 14 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 15 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 16 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 17 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 18 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 19 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 20 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 21 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 22 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 23 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 24 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 25 |
| vulnerability |
VCID-bpy3-pdqr-uube |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 56 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 59 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 60 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 61 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 62 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 63 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 64 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 65 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 66 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 67 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 68 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 69 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 70 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 71 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 72 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 73 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 74 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 75 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 76 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 77 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 78 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 79 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 80 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.5 |
|
|
| aliases |
CVE-2026-41913, GHSA-25wv-8phj-8p7r
|
| risk_score |
2.9 |
| exploitability |
0.5 |
| weighted_severity |
5.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2d5p-gd51-3bfc |
|
| 8 |
| url |
VCID-2p3a-gmxy-37gx |
| vulnerability_id |
VCID-2p3a-gmxy-37gx |
| summary |
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials
## Summary
Sandbox noVNC helper route exposed interactive browser session credentials.
## Affected Packages / Versions
- Package: `openclaw`
- Ecosystem: npm
- Affected versions: `>= 2026.2.21 < 2026.4.10`
- Patched versions: `>= 2026.4.10`
## Impact
The sandbox noVNC helper route could be reached without the intended bridge authentication, exposing an interactive browser session surface.
## Technical Details
The fix gates the sandbox noVNC helper route behind bridge authentication.
## Fix
The issue was fixed in #63882. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.
## Fix Commit(s)
- `8dfbf3268bd224b7377d1ecca77a445100746085`
- PR: #63882
## Release Process Note
Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.
## Credits
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
GHSA-92jp-89mq-4374
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2p3a-gmxy-37gx |
|
| 9 |
| url |
VCID-2tsv-9m6k-1qdn |
| vulnerability_id |
VCID-2tsv-9m6k-1qdn |
| summary |
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41341, GHSA-6336-qqw9-v6x6
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
4.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2tsv-9m6k-1qdn |
|
| 10 |
| url |
VCID-3f2g-c9me-nbdm |
| vulnerability_id |
VCID-3f2g-c9me-nbdm |
| summary |
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm |
| reference_id |
GHSA-g5cg-8x5w-7jpm |
| reference_type |
|
| scores |
| 0 |
| value |
9.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
|
| 3 |
| value |
9.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
|
| 4 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T19:38:10Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-g5cg-8x5w-7jpm |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41329, GHSA-g5cg-8x5w-7jpm
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3f2g-c9me-nbdm |
|
| 11 |
| url |
VCID-3qf3-mq53-fbgp |
| vulnerability_id |
VCID-3qf3-mq53-fbgp |
| summary |
OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration
## Summary
Media Local Roots Self-Whitelisting in `appendLocalMediaParentRoots` Allows Model-Initiated Arbitrary Host File Read and Credential Exfiltration
## Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: v2026.3.28 still self-whitelists media parent dirs in src/media/local-roots.ts, but only after config already permits tool-fs root expansion, so the impact is narrower than the default-critical framing.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `1ca4261d7e055d0be141ed79ebb1365d0fbc7364` — 2026-03-30T17:15:03+01:00
OpenClaw thanks @tdjackey for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
GHSA-57gh-m6rq-54cf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3qf3-mq53-fbgp |
|
| 12 |
| url |
VCID-416m-tsuc-b3fg |
| vulnerability_id |
VCID-416m-tsuc-b3fg |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41348, GHSA-rvvf-6vh3-9j43
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
4.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-416m-tsuc-b3fg |
|
| 13 |
| url |
VCID-45as-yk5j-dug2 |
| vulnerability_id |
VCID-45as-yk5j-dug2 |
| summary |
|
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-41354, GHSA-rxmx-g7hr-8mx4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-45as-yk5j-dug2 |
|
| 14 |
| url |
VCID-4kcu-akxv-hker |
| vulnerability_id |
VCID-4kcu-akxv-hker |
| summary |
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and agent configurations. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41335, GHSA-hr8g-2q7x-3f4w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4kcu-akxv-hker |
|
| 15 |
| url |
VCID-4qqv-57ws-4yb3 |
| vulnerability_id |
VCID-4qqv-57ws-4yb3 |
| summary |
OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377 |
| reference_id |
GHSA-2xcp-x87w-q377 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T18:46:08Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
CVE-2026-45002, GHSA-2xcp-x87w-q377
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4qqv-57ws-4yb3 |
|
| 16 |
| url |
VCID-4umw-rnj5-efad |
| vulnerability_id |
VCID-4umw-rnj5-efad |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41374, GHSA-hhff-fj5f-qg48
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4umw-rnj5-efad |
|
| 17 |
| url |
VCID-4yrw-qqvt-jkhn |
| vulnerability_id |
VCID-4yrw-qqvt-jkhn |
| summary |
OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-start WebSocket frames to cause resource consumption and denial of service. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41400, GHSA-2w79-r9g8-wmcr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4yrw-qqvt-jkhn |
|
| 18 |
| url |
VCID-563k-49s5-5fbp |
| vulnerability_id |
VCID-563k-49s5-5fbp |
| summary |
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
|
| 1 |
| value |
9.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg |
| reference_id |
GHSA-9p3r-hh9g-5cmg |
| reference_type |
|
| scores |
| 0 |
| value |
8.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
8.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N |
|
| 3 |
| value |
9.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H |
|
| 4 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T16:02:53Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-9p3r-hh9g-5cmg |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41296, GHSA-9p3r-hh9g-5cmg
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-563k-49s5-5fbp |
|
| 19 |
| url |
VCID-5c35-mfrw-r3fg |
| vulnerability_id |
VCID-5c35-mfrw-r3fg |
| summary |
OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup codes to redirect clients to malicious endpoints, disclosing plaintext gateway credentials. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-83f3-hh45-vfw9 |
| reference_id |
GHSA-83f3-hh45-vfw9 |
| reference_type |
|
| scores |
| 0 |
| value |
5.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:37:33Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-83f3-hh45-vfw9 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-40045, GHSA-83f3-hh45-vfw9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5c35-mfrw-r3fg |
|
| 20 |
| url |
VCID-5hvu-e2e8-y7h6 |
| vulnerability_id |
VCID-5hvu-e2e8-y7h6 |
| summary |
OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted agent.request dispatch to achieve remote code execution on the gateway. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-gjm7-hw8f-73rq |
| reference_id |
GHSA-gjm7-hw8f-73rq |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
7.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:53:49Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-gjm7-hw8f-73rq |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41378, GHSA-gjm7-hw8f-73rq
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5hvu-e2e8-y7h6 |
|
| 21 |
| url |
VCID-5msy-va7d-jkhz |
| vulnerability_id |
VCID-5msy-va7d-jkhz |
| summary |
OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers can exploit this by uploading tar archives containing symlinks to escape the sandbox and overwrite files on the remote host. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
|
| 1 |
| value |
7.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41364, GHSA-fv94-qvg8-xqpw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5msy-va7d-jkhz |
|
| 22 |
| url |
VCID-5szz-xqng-fffv |
| vulnerability_id |
VCID-5szz-xqng-fffv |
| summary |
OpenClaw: Telegram legacy allowFrom migration fans default-account trust into all named accounts
## Summary
Telegram legacy allowFrom migration fans default-account trust into all named accounts
## Current Maintainer Triage
- Status: open
- Normalized severity: low
- Assessment: Shipped v2026.3.28 Telegram migration fans legacy default-account allowFrom trust into named accounts, which is an in-scope auth-boundary bug and low fits.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `d8c68c8d4265ea6fa5e8c5e056534c351bddef37` — 2026-03-31T12:51:38+01:00
## Release Process Note
- The fix is already present in released version `2026.3.31`.
- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
Thanks @smaeljaish771 for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
GHSA-f693-58pc-2gfr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5szz-xqng-fffv |
|
| 23 |
| url |
VCID-5uvn-998w-hfds |
| vulnerability_id |
VCID-5uvn-998w-hfds |
| summary |
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr |
| reference_id |
GHSA-7g8c-cfr3-vqqr |
| reference_type |
|
| scores |
| 0 |
| value |
9.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U |
|
| 3 |
| value |
9.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-06T14:12:17Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-7g8c-cfr3-vqqr |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-43534, GHSA-7g8c-cfr3-vqqr
|
| risk_score |
4.2 |
| exploitability |
0.5 |
| weighted_severity |
8.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5uvn-998w-hfds |
|
| 24 |
| url |
VCID-5zh4-jn4s-akc9 |
| vulnerability_id |
VCID-5zh4-jn4s-akc9 |
| summary |
OpenClaw: Paired-device pairing actions were not limited to the caller device
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `< 2026.4.20`
- Patched version: `2026.4.20`
## Impact
A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope ceiling.
This is a same-gateway paired-device authorization bug, not a remote unauthenticated issue. Severity is low.
## Fix
Pairing management actions are now limited to the caller device, so non-admin paired-device sessions cannot approve or operate on unrelated pending device requests.
Fix commit:
- `5a12f30441d5b0b151f550daa2c5c9e8db61e2e6`
## Release
Fixed in OpenClaw `2026.4.20`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
GHSA-xrq9-jm7v-g9h7
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5zh4-jn4s-akc9 |
|
| 25 |
| url |
VCID-65nh-ys6n-77ag |
| vulnerability_id |
VCID-65nh-ys6n-77ag |
| summary |
OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.5 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44118, GHSA-r6xh-pqhr-v4xh
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-65nh-ys6n-77ag |
|
| 26 |
| url |
VCID-6ce4-zpfh-pybu |
| vulnerability_id |
VCID-6ce4-zpfh-pybu |
| summary |
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the browser.request persistent profile-mutation guard and modify browser configurations. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-cmfr-9m2r-xwhq |
| reference_id |
GHSA-cmfr-9m2r-xwhq |
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:12:10Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-cmfr-9m2r-xwhq |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42431, GHSA-cmfr-9m2r-xwhq
|
| risk_score |
3.6 |
| exploitability |
0.5 |
| weighted_severity |
7.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6ce4-zpfh-pybu |
|
| 27 |
| url |
VCID-6hav-n44a-dkeu |
| vulnerability_id |
VCID-6hav-n44a-dkeu |
| summary |
OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations
## Summary
`session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations
## Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: Real on shipped v2026.3.22: non-sandboxed session_status skipped the shared visibility guard, but this is a same-agent session-policy bypass with unreleased fix, not a broader host-boundary break.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `4d369a3400dc9b737fbe8daa63f09d909ce7beb8` — 2026-03-30T16:48:12+02:00
## Release Process Note
- The fix is already present in released version `2026.3.31`.
- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
Thanks @tdjackey for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
GHSA-fwjq-xwfj-gv75
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6hav-n44a-dkeu |
|
| 28 |
| url |
VCID-6w88-6bts-sudv |
| vulnerability_id |
VCID-6w88-6bts-sudv |
| summary |
OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.15 |
| purl |
pkg:npm/openclaw@2026.4.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 1 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 2 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 3 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 4 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 5 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 6 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 7 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 8 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 9 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 10 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 11 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 12 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 13 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 14 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 15 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 16 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 17 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 18 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 19 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 20 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 21 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 22 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 23 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15 |
|
|
| aliases |
CVE-2026-43585, GHSA-xmxx-7p24-h892
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6w88-6bts-sudv |
|
| 29 |
| url |
VCID-7j27-ndq2-mfht |
| vulnerability_id |
VCID-7j27-ndq2-mfht |
| summary |
OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
4.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.5 |
| purl |
pkg:npm/openclaw@2026.4.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 11 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 12 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 13 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 14 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 15 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 16 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 17 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 18 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 19 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 20 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 21 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 22 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 23 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 24 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 25 |
| vulnerability |
VCID-bpy3-pdqr-uube |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 56 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 59 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 60 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 61 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 62 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 63 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 64 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 65 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 66 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 67 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 68 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 69 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 70 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 71 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 72 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 73 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 74 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 75 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 76 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 77 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 78 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 79 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 80 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.5 |
|
|
| aliases |
CVE-2026-43576, GHSA-f7fh-qg34-x2xh
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
6.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7j27-ndq2-mfht |
|
| 30 |
| url |
VCID-7r7v-pvsj-uyaw |
| vulnerability_id |
VCID-7r7v-pvsj-uyaw |
| summary |
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute force attacks against weak shared passwords. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41333, GHSA-6p8r-6m93-557f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7r7v-pvsj-uyaw |
|
| 31 |
| url |
VCID-82aq-wxf5-aka8 |
| vulnerability_id |
VCID-82aq-wxf5-aka8 |
| summary |
OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c |
| reference_id |
GHSA-53vx-pmqw-863c |
| reference_type |
|
| scores |
| 0 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:39:27Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.14 |
| purl |
pkg:npm/openclaw@2026.4.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 1 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 2 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 3 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 4 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 5 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 6 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 7 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 8 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 9 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 10 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 11 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 12 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 13 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 14 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 15 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 16 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 17 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 18 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 19 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 20 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 21 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 22 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 23 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 24 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 25 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 26 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 27 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 28 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 29 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14 |
|
|
| aliases |
CVE-2026-43527, GHSA-53vx-pmqw-863c
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
6.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-82aq-wxf5-aka8 |
|
| 32 |
| url |
VCID-84ms-aakm-x3dc |
| vulnerability_id |
VCID-84ms-aakm-x3dc |
| summary |
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp |
| reference_id |
GHSA-3vvq-q2qc-7rmp |
| reference_type |
|
| scores |
| 0 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7.5 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:14:40Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42428, GHSA-3vvq-q2qc-7rmp
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-84ms-aakm-x3dc |
|
| 33 |
| url |
VCID-8h62-5c5b-cbdt |
| vulnerability_id |
VCID-8h62-5c5b-cbdt |
| summary |
OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `< 2026.4.20`
- Patched version: `2026.4.20`
## Impact
Feishu card-action callbacks could synthesize a message event with DM conversations classified as group conversations. That skipped `dmPolicy` enforcement for card actions, so a sender in a Feishu DM could trigger card-action flows that should have been blocked by a restrictive DM policy.
The issue is limited to Feishu card-action handling. Severity is medium.
## Fix
OpenClaw now resolves Feishu card-action chat type before dispatch, including API lookup when stored context is unavailable, and avoids falling through to group handling for DMs.
Fix commit:
- `90979d7c3ef7ec30b9f8aa6963a5e38d2f17d166`
## Release
Fixed in OpenClaw `2026.4.20`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
GHSA-72q8-jcmc-97wx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8h62-5c5b-cbdt |
|
| 34 |
| url |
VCID-8h7u-pr1w-z7df |
| vulnerability_id |
VCID-8h7u-pr1w-z7df |
| summary |
OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR and related variables to redirect git operations and compromise repository integrity. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
2.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-cm8v-2vh9-cxf3 |
| reference_id |
GHSA-cm8v-2vh9-cxf3 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:15:09Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-cm8v-2vh9-cxf3 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-41915, GHSA-cm8v-2vh9-cxf3
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8h7u-pr1w-z7df |
|
| 35 |
| url |
VCID-8sps-h6k2-43c9 |
| vulnerability_id |
VCID-8sps-h6k2-43c9 |
| summary |
OpenClaw before 2026.3.31 fails to properly sanitize PIP_INDEX_URL and UV_INDEX_URL environment variables in host execution contexts, allowing attackers to redirect Python package-index traffic. Attackers can exploit this bypass to intercept or manipulate package management operations by injecting malicious index URLs through unsanitized environment variables. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
7.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-7ggg-pvrf-458v |
| reference_id |
GHSA-7ggg-pvrf-458v |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:25:34Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-7ggg-pvrf-458v |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41391, GHSA-7ggg-pvrf-458v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8sps-h6k2-43c9 |
|
| 36 |
| url |
VCID-8x39-gcpu-yqd9 |
| vulnerability_id |
VCID-8x39-gcpu-yqd9 |
| summary |
OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairing entries and trigger pairing-reply attempts, consuming shared pairing capacity and triggering bounded relay and logging work on the Nostr channel. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-h43v-27wg-5mf9 |
| reference_id |
GHSA-h43v-27wg-5mf9 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:33:12Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-h43v-27wg-5mf9 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41301, GHSA-h43v-27wg-5mf9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8x39-gcpu-yqd9 |
|
| 37 |
| url |
VCID-925q-556p-q3f6 |
| vulnerability_id |
VCID-925q-556p-q3f6 |
| summary |
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-3fv3-6p2v-gxwj |
| reference_id |
GHSA-3fv3-6p2v-gxwj |
| reference_type |
|
| scores |
| 0 |
| value |
8.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N |
|
| 3 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:55:12Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-3fv3-6p2v-gxwj |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-41914, GHSA-3fv3-6p2v-gxwj
|
| risk_score |
3.9 |
| exploitability |
0.5 |
| weighted_severity |
7.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-925q-556p-q3f6 |
|
| 38 |
| url |
VCID-9u9n-s6sc-2bhw |
| vulnerability_id |
VCID-9u9n-s6sc-2bhw |
| summary |
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44116, GHSA-2hh7-c75g-qj2r
|
| risk_score |
3.9 |
| exploitability |
0.5 |
| weighted_severity |
7.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9u9n-s6sc-2bhw |
|
| 39 |
| url |
VCID-9vbr-88pv-hudj |
| vulnerability_id |
VCID-9vbr-88pv-hudj |
| summary |
OpenClaw: QQ Bot structured payloads could read arbitrary local files
## Summary
Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host.
## Impact
Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.4.1`
- Patched versions: `>= 2026.4.2`
- Latest published npm version: `2026.4.1`
## Fix Commit(s)
- `2c45b06afdd6f7c621038b5419d8e661cff34a7f` — restrict QQ Bot structured payload local paths
## Release Process Note
The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.
Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
GHSA-846p-hgpv-vphc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9vbr-88pv-hudj |
|
| 40 |
| url |
VCID-9xv8-jtc8-ekcr |
| vulnerability_id |
VCID-9xv8-jtc8-ekcr |
| summary |
OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89 |
| reference_id |
GHSA-q2gc-xjqw-qp89 |
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-30T12:55:43Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42423, GHSA-q2gc-xjqw-qp89
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
6.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9xv8-jtc8-ekcr |
|
| 41 |
| url |
VCID-9zkk-mp8b-kbbg |
| vulnerability_id |
VCID-9zkk-mp8b-kbbg |
| summary |
OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
4.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-43582, GHSA-xq94-r468-qwgj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9zkk-mp8b-kbbg |
|
| 42 |
| url |
VCID-a4pw-9uzw-47ge |
| vulnerability_id |
VCID-a4pw-9uzw-47ge |
| summary |
OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as trusted generated media. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5 |
| reference_id |
d7c3210cd6f5fdfdc1beff4c9541673e814354d5 |
| reference_type |
|
| scores |
| 0 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
5.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:12:58Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-qqq7-4hxc-x63c |
| reference_id |
GHSA-qqq7-4hxc-x63c |
| reference_type |
|
| scores |
| 0 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
5.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 5 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 6 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:12:58Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-qqq7-4hxc-x63c |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42424, GHSA-qqq7-4hxc-x63c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a4pw-9uzw-47ge |
|
| 43 |
| url |
VCID-a9q6-xpjm-6yfd |
| vulnerability_id |
VCID-a9q6-xpjm-6yfd |
| summary |
OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass access controls by sending proxied requests that are incorrectly identified as local loopback traffic, circumventing intended remote viewer restrictions. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-3xv9-89fm-7h4r |
| reference_id |
GHSA-3xv9-89fm-7h4r |
| reference_type |
|
| scores |
| 0 |
| value |
2.9 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
4.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:09:33Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-3xv9-89fm-7h4r |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41403, GHSA-3xv9-89fm-7h4r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-a9q6-xpjm-6yfd |
|
| 44 |
| url |
VCID-aegc-6ab1-k7hk |
| vulnerability_id |
VCID-aegc-6ab1-k7hk |
| summary |
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m |
| reference_id |
GHSA-qx8j-g322-qj6m |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T14:40:02Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-qx8j-g322-qj6m |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-40037, GHSA-qx8j-g322-qj6m
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-aegc-6ab1-k7hk |
|
| 45 |
| url |
VCID-afjz-us2v-k7ak |
| vulnerability_id |
VCID-afjz-us2v-k7ak |
| summary |
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/openclaw/openclaw/commit/7be82d4fd1193bcb7e44ee38838f00bf924ffa76 |
| reference_id |
7be82d4fd1193bcb7e44ee38838f00bf924ffa76 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
9.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H |
|
| 2 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/commit/7be82d4fd1193bcb7e44ee38838f00bf924ffa76 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-wppj-c6mr-83jj |
| reference_id |
GHSA-wppj-c6mr-83jj |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
9.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
8.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H |
|
| 5 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 6 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T17:25:18Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-wppj-c6mr-83jj |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44112, GHSA-wppj-c6mr-83jj
|
| risk_score |
4.3 |
| exploitability |
0.5 |
| weighted_severity |
8.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-afjz-us2v-k7ak |
|
| 46 |
| url |
VCID-agtk-z6cf-1bh7 |
| vulnerability_id |
VCID-agtk-z6cf-1bh7 |
| summary |
OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS
## Summary
Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS
## Current Maintainer Triage
- Status: open
- Normalized severity: medium
- Assessment: Shipped v2026.3.28 image processing could fail open on oversized pixel counts and allow decompression-bomb DoS, an availability issue that is valid at medium.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `0ed4f8a72bb140045962e97ab01c94c076b758a4` — 2026-03-31T22:52:55+09:00
OpenClaw thanks @AntAISecurityLab for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
GHSA-w85g-3h6x-4xh2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-agtk-z6cf-1bh7 |
|
| 47 |
| url |
VCID-b3av-6zna-sugm |
| vulnerability_id |
VCID-b3av-6zna-sugm |
| summary |
OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having their discovered URL survive the trust decline process into manual prompts requiring operator acceptance. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41300, GHSA-9f4w-67g7-mqwv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b3av-6zna-sugm |
|
| 48 |
| url |
VCID-bdx2-c7m3-xbfv |
| vulnerability_id |
VCID-bdx2-c7m3-xbfv |
| summary |
OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66 |
| reference_id |
GHSA-mhgq-xpfq-6r66 |
| reference_type |
|
| scores |
| 0 |
| value |
8.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:51:37Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41394, GHSA-mhgq-xpfq-6r66
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bdx2-c7m3-xbfv |
|
| 49 |
| url |
VCID-bqwy-vw6g-uudj |
| vulnerability_id |
VCID-bqwy-vw6g-uudj |
| summary |
OpenClaw: Media download follows cross-origin redirects with Authorization headers intact
## Summary
Media download follows cross-origin redirects with Authorization headers intact
## Current Maintainer Triage
- Status: open
- Normalized severity: medium
- Assessment: Shipped v2026.3.28 media downloads forwarded Authorization across cross-origin redirects, a real in-scope credential-leak class that fits medium.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `e704323ff388ed21f6963f9b8e0b1b8dfaaabc5f` — 2026-03-31T19:57:42+09:00
OpenClaw thanks @AntAISecurityLab for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
GHSA-68v4-hmwv-f43h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bqwy-vw6g-uudj |
|
| 50 |
| url |
VCID-brzy-7832-5bhh |
| vulnerability_id |
VCID-brzy-7832-5bhh |
| summary |
OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation. Attackers can exploit this by declaring operator scopes on non-Control-UI clients, allowing self-declared scopes to persist on identity-bearing authentication paths and escalate privileges. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-g374-mggx-p6xc |
| reference_id |
GHSA-g374-mggx-p6xc |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
7.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:38:09Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-g374-mggx-p6xc |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41404, GHSA-g374-mggx-p6xc
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-brzy-7832-5bhh |
|
| 51 |
| url |
VCID-bvyn-2c5r-4bce |
| vulnerability_id |
VCID-bvyn-2c5r-4bce |
| summary |
|
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42427, GHSA-7437-7hg8-frrw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bvyn-2c5r-4bce |
|
| 52 |
| url |
VCID-c3fa-2u7p-pkgn |
| vulnerability_id |
VCID-c3fa-2u7p-pkgn |
| summary |
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.15 |
| purl |
pkg:npm/openclaw@2026.4.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 1 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 2 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 3 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 4 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 5 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 6 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 7 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 8 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 9 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 10 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 11 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 12 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 13 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 14 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 15 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 16 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 17 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 18 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 19 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 20 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 21 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 22 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 23 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15 |
|
|
| aliases |
CVE-2026-44109, GHSA-xh72-v6v9-mwhc
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c3fa-2u7p-pkgn |
|
| 53 |
| url |
VCID-c3hg-hct8-eqbv |
| vulnerability_id |
VCID-c3hg-hct8-eqbv |
| summary |
OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qm-58hj-j6pj |
| reference_id |
GHSA-c4qm-58hj-j6pj |
| reference_type |
|
| scores |
| 0 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
4.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
|
| 3 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T14:10:04Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-c4qm-58hj-j6pj |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.14 |
| purl |
pkg:npm/openclaw@2026.4.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 1 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 2 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 3 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 4 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 5 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 6 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 7 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 8 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 9 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 10 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 11 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 12 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 13 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 14 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 15 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 16 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 17 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 18 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 19 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 20 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 21 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 22 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 23 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 24 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 25 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 26 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 27 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 28 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 29 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14 |
|
|
| aliases |
CVE-2026-42436, GHSA-c4qm-58hj-j6pj
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
6.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c3hg-hct8-eqbv |
|
| 54 |
| url |
VCID-c7gn-3t5r-j7bu |
| vulnerability_id |
VCID-c7gn-3t5r-j7bu |
| summary |
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing requests from other accounts to block new pairing challenges on unaffected accounts, causing denial of service. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41346, GHSA-wwfp-w96m-c6x8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c7gn-3t5r-j7bu |
|
| 55 |
| url |
VCID-c8dt-7z8a-qufe |
| vulnerability_id |
VCID-c8dt-7z8a-qufe |
| summary |
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p |
| reference_id |
GHSA-55cf-xx38-4p9p |
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
4.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:02Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-55cf-xx38-4p9p |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-45003, GHSA-55cf-xx38-4p9p
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c8dt-7z8a-qufe |
|
| 56 |
| url |
VCID-c8mh-j256-j3aa |
| vulnerability_id |
VCID-c8mh-j256-j3aa |
| summary |
## Impact
OpenClaw Host-Exec Environment Variable Injection.
Host exec could inherit environment variables that influence interpreters, shells, or build tools.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.3.28`
- Patched versions: `2026.4.8`
## Fix
The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.
## Verification
The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.
## Credits
Thanks @wsparks-vc for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
GHSA-w9j9-w4cp-6wgr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c8mh-j256-j3aa |
|
| 57 |
| url |
VCID-cbdg-vzrj-puc2 |
| vulnerability_id |
VCID-cbdg-vzrj-puc2 |
| summary |
OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh |
| reference_id |
GHSA-mj59-h3q9-ghfh |
| reference_type |
|
| scores |
| 0 |
| value |
7.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-11T17:56:23Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
CVE-2026-44995, GHSA-mj59-h3q9-ghfh
|
| risk_score |
3.3 |
| exploitability |
0.5 |
| weighted_severity |
6.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cbdg-vzrj-puc2 |
|
| 58 |
| url |
VCID-cf4u-fs5p-3ue3 |
| vulnerability_id |
VCID-cf4u-fs5p-3ue3 |
| summary |
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
CVE-2026-44117, GHSA-c4qg-j8jg-42q5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cf4u-fs5p-3ue3 |
|
| 59 |
| url |
VCID-cfj6-nuq4-wudw |
| vulnerability_id |
VCID-cfj6-nuq4-wudw |
| summary |
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that escalates identity-bearing operator.read requests to runtime operator.write permissions. Attackers can exploit this by sending read-scoped requests through the gateway auth route to gain unauthorized write access to runtime operations. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
2.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-4f8g-77mw-3rxc |
| reference_id |
GHSA-4f8g-77mw-3rxc |
| reference_type |
|
| scores |
| 0 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:09:14Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-4f8g-77mw-3rxc |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42429, GHSA-4f8g-77mw-3rxc
|
| risk_score |
3.2 |
| exploitability |
0.5 |
| weighted_severity |
6.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cfj6-nuq4-wudw |
|
| 60 |
| url |
VCID-cj2h-dvh1-1bhx |
| vulnerability_id |
VCID-cj2h-dvh1-1bhx |
| summary |
OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes
## Summary
SSH-based sandbox backends pass unsanitized process.env to child processes
## Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Shipped SSH sandbox paths leaked unsanitized env into local SSH child processes, but remote leakage needs non-default SSH env forwarding, so lower to low.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `cfe14459531e002a1c61c27d97ec7dc8aecddc1f` — 2026-03-30T20:05:57+01:00
OpenClaw thanks @AntAISecurityLab for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
GHSA-j9pv-rrcj-6pfx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cj2h-dvh1-1bhx |
|
| 61 |
| url |
VCID-crh9-tw4p-2bgr |
| vulnerability_id |
VCID-crh9-tw4p-2bgr |
| summary |
OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5 |
| reference_id |
GHSA-jf25-7968-h2h5 |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:42Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-43567, GHSA-jf25-7968-h2h5
|
| risk_score |
3.2 |
| exploitability |
0.5 |
| weighted_severity |
6.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-crh9-tw4p-2bgr |
|
| 62 |
| url |
VCID-d34s-z46v-gygk |
| vulnerability_id |
VCID-d34s-z46v-gygk |
| summary |
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79 |
| reference_id |
GHSA-527m-976r-jf79 |
| reference_type |
|
| scores |
| 0 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
4.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
|
| 3 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:49:59Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-43573, GHSA-527m-976r-jf79
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
6.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d34s-z46v-gygk |
|
| 63 |
| url |
VCID-dtva-truu-4qac |
| vulnerability_id |
VCID-dtva-truu-4qac |
| summary |
OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver duplicate webhook messages to unintended targets. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447 |
| reference_id |
GHSA-hhq4-97c2-p447 |
| reference_type |
|
| scores |
| 0 |
| value |
4.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:17:15Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-hhq4-97c2-p447 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41402, GHSA-hhq4-97c2-p447
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dtva-truu-4qac |
|
| 64 |
| url |
VCID-e327-pu9e-x7gh |
| vulnerability_id |
VCID-e327-pu9e-x7gh |
| summary |
OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that bypass subagent-only constraints, potentially escalating privileges or accessing restricted resources. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r |
| reference_id |
GHSA-q3jj-46pq-826r |
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:25:34Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-q3jj-46pq-826r |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44997, GHSA-q3jj-46pq-826r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e327-pu9e-x7gh |
|
| 65 |
| url |
VCID-e351-abpr-7fhx |
| vulnerability_id |
VCID-e351-abpr-7fhx |
| summary |
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-fvx6-pj3r-5q4q. This link is maintained to preserve external references.
### Original Description
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked. |
| references |
| 0 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2026-34425 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2026-34425 |
|
| 1 |
|
| 2 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
GHSA-rf75-g96h-j3rm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e351-abpr-7fhx |
|
| 66 |
| url |
VCID-e84v-kdtb-5ycs |
| vulnerability_id |
VCID-e84v-kdtb-5ycs |
| summary |
OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers can send Discord voice ingress requests before channel allowlist authorization is performed, gaining unauthorized access to restricted voice channels. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-cqgw-44wg-44rf |
| reference_id |
GHSA-cqgw-44wg-44rf |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:29:48Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-cqgw-44wg-44rf |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41381, GHSA-cqgw-44wg-44rf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e84v-kdtb-5ycs |
|
| 67 |
| url |
VCID-e8sz-63dk-tfbs |
| vulnerability_id |
VCID-e8sz-63dk-tfbs |
| summary |
OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-c28g-vh7m-fm7v |
| reference_id |
GHSA-c28g-vh7m-fm7v |
| reference_type |
|
| scores |
| 0 |
| value |
4.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-11T17:26:30Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-c28g-vh7m-fm7v |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44991, GHSA-c28g-vh7m-fm7v
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e8sz-63dk-tfbs |
|
| 68 |
| url |
VCID-eaeg-e381-nyh5 |
| vulnerability_id |
VCID-eaeg-e381-nyh5 |
| summary |
OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h |
| reference_id |
GHSA-66r7-m7xm-v49h |
| reference_type |
|
| scores |
| 0 |
| value |
8.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-06T12:41:49Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-43533, GHSA-66r7-m7xm-v49h
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eaeg-e381-nyh5 |
|
| 69 |
| url |
VCID-ed61-sus3-3yh9 |
| vulnerability_id |
VCID-ed61-sus3-3yh9 |
| summary |
OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root and reply context messages that should be filtered by sender allowlists, bypassing access controls. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-rg8m-3943-vm6q |
| reference_id |
GHSA-rg8m-3943-vm6q |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 2 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:35Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-rg8m-3943-vm6q |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41376, GHSA-rg8m-3943-vm6q
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ed61-sus3-3yh9 |
|
| 70 |
| url |
VCID-eefn-gpc1-mfdx |
| vulnerability_id |
VCID-eefn-gpc1-mfdx |
| summary |
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes
## Summary
The agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gateway config mutations.
## Impact
A prompt-injected or otherwise compromised model running with access to the owner-only `gateway` tool could persist unsafe config changes that crossed security boundaries. Examples included config paths affecting command execution, network/proxy/TLS behavior, credential forwarding, telemetry or hook endpoints, memory/indexing surfaces, and operator policy controls. These changes could survive restart once written to config.
## Affected Packages / Versions
- Package: `openclaw` on npm
- Affected: versions before `2026.4.23`
- Fixed: `2026.4.23`
- Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23`
## Fix
OpenClaw replaced the denylist with a fail-closed allowlist. Agent-driven `gateway config.apply` and `gateway config.patch` now permit only narrow agent-tunable prompt/model settings and mention-gating paths. Other config changes are rejected before the gateway mutation RPC is invoked.
## Fix Commit(s)
- `bceda6089aa7b3695cc7696b43c61ae3d01bb0ec` (`fix(gateway): fail closed on runtime config edits`)
## Severity
Severity remains `high`. The vulnerable entry point is owner-only, but the model/agent is not a trusted principal under OpenClaw's security model, and the guard is the explicit model-to-operator boundary for persisted config mutation. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-cwj3-vqpp-pmxr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eefn-gpc1-mfdx |
|
| 71 |
| url |
VCID-eju9-rz5x-1bbk |
| vulnerability_id |
VCID-eju9-rz5x-1bbk |
| summary |
Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption. |
| references |
| 0 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2026-34511 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2026-34511 |
|
| 1 |
|
| 2 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
GHSA-ch86-pxr9-j9h9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eju9-rz5x-1bbk |
|
| 72 |
| url |
VCID-esve-n4ww-rudc |
| vulnerability_id |
VCID-esve-n4ww-rudc |
| summary |
OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
2.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4 |
| reference_id |
GHSA-cwq8-6f96-g3q4 |
| reference_type |
|
| scores |
| 0 |
| value |
4.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:53:31Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41377, GHSA-cwq8-6f96-g3q4
|
| risk_score |
2.3 |
| exploitability |
0.5 |
| weighted_severity |
4.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-esve-n4ww-rudc |
|
| 73 |
| url |
VCID-f22e-sy58-g7fb |
| vulnerability_id |
VCID-f22e-sy58-g7fb |
| summary |
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-939r-rj45-g2rj |
| reference_id |
GHSA-939r-rj45-g2rj |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
7.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:42:35Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-939r-rj45-g2rj |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.9 |
| purl |
pkg:npm/openclaw@2026.4.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-bdss-ct5q-cyak |
|
| 20 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 21 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 22 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 23 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 24 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 25 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 26 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 27 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 28 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 29 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 30 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 54 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 55 |
| vulnerability |
VCID-vbfg-fz5c-9yde |
|
| 56 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 57 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 58 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9 |
|
|
| aliases |
CVE-2026-43569, GHSA-939r-rj45-g2rj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f22e-sy58-g7fb |
|
| 74 |
| url |
VCID-f925-x5qa-buav |
| vulnerability_id |
VCID-f925-x5qa-buav |
| summary |
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh |
| reference_id |
GHSA-rj2p-j66c-mgqh |
| reference_type |
|
| scores |
| 0 |
| value |
8.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
4.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:N/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T14:03:51Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-rj2p-j66c-mgqh |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-42439, GHSA-rj2p-j66c-mgqh
|
| risk_score |
3.9 |
| exploitability |
0.5 |
| weighted_severity |
7.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f925-x5qa-buav |
|
| 75 |
| url |
VCID-f95y-gnx3-wydp |
| vulnerability_id |
VCID-f95y-gnx3-wydp |
| summary |
OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner message-tool runs. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-42433, GHSA-7jp6-r74r-995q
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-f95y-gnx3-wydp |
|
| 76 |
| url |
VCID-fcfw-yctj-v3cy |
| vulnerability_id |
VCID-fcfw-yctj-v3cy |
| summary |
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-j6c7-3h5x-99g9 |
| reference_id |
GHSA-j6c7-3h5x-99g9 |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-06T12:30:14Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-j6c7-3h5x-99g9 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.12 |
| purl |
pkg:npm/openclaw@2026.4.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 1 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 2 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 3 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 4 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 5 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 6 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 7 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 8 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 9 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 10 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 11 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 12 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 13 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 14 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 15 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 16 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 17 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 18 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 19 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 20 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 21 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 22 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 23 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 24 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 25 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 26 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 27 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 28 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 29 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 30 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 31 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 32 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 33 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 34 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 35 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 36 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12 |
|
|
| aliases |
CVE-2026-42435, GHSA-j6c7-3h5x-99g9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fcfw-yctj-v3cy |
|
| 77 |
| url |
VCID-fgkb-fmuq-wffh |
| vulnerability_id |
VCID-fgkb-fmuq-wffh |
| summary |
OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-45004, GHSA-r39h-4c2p-3jxp
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fgkb-fmuq-wffh |
|
| 78 |
| url |
VCID-fzag-upa9-n7cr |
| vulnerability_id |
VCID-fzag-upa9-n7cr |
| summary |
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses
## Summary
Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses
## Current Maintainer Triage
- Status: narrow
- Normalized severity: medium
- Assessment: Released workspace-only apply_patch remove and mkdir operations were still check-then-act, but the draft overstates scope by bundling broader edit paths; keep it open but narrow it to the actual sandbox-workspace mutation boundary.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `32a4a47d602e0618f87b3e59f94d8c142767f860` — 2026-03-30T16:49:49+01:00
OpenClaw thanks @AntAISecurityLab for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
GHSA-rm5c-4rmf-vvhw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fzag-upa9-n7cr |
|
| 79 |
| url |
VCID-gd62-paxx-abgy |
| vulnerability_id |
VCID-gd62-paxx-abgy |
| summary |
OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-68x5-xx89-w9mm |
| reference_id |
GHSA-68x5-xx89-w9mm |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:00:46Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-68x5-xx89-w9mm |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-41916, GHSA-68x5-xx89-w9mm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gd62-paxx-abgy |
|
| 80 |
| url |
VCID-h5h5-c9az-4be3 |
| vulnerability_id |
VCID-h5h5-c9az-4be3 |
| summary |
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8 |
| reference_id |
GHSA-qcj9-wwgw-6gm8 |
| reference_type |
|
| scores |
| 0 |
| value |
7.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
7.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.5 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T19:16:36Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-qcj9-wwgw-6gm8 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41396, GHSA-qcj9-wwgw-6gm8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h5h5-c9az-4be3 |
|
| 81 |
| url |
VCID-h6wv-azua-wkgw |
| vulnerability_id |
VCID-h6wv-azua-wkgw |
| summary |
OpenClaw versions prior to commit 8aceaf5 contain a preflight validation bypass vulnerability in shell-bleed protection that allows attackers to execute blocked script content by using piped or complex command forms that the parser fails to recognize. Attackers can craft commands such as piped execution, command substitution, or subshell invocation to bypass the validateScriptFileForShellBleed() validation checks and execute arbitrary script content that would otherwise be blocked. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-34425, GHSA-fvx6-pj3r-5q4q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h6wv-azua-wkgw |
|
| 82 |
| url |
VCID-h77b-c2kq-8kej |
| vulnerability_id |
VCID-h77b-c2kq-8kej |
| summary |
OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it through the redirect URL. Attackers who capture the redirect URL can obtain both the authorization code and PKCE verifier, defeating PKCE protection and enabling token redemption. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf |
| reference_id |
GHSA-9jpj-g8vv-j5mf |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T16:56:07Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-9jpj-g8vv-j5mf |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-34511, GHSA-9jpj-g8vv-j5mf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h77b-c2kq-8kej |
|
| 83 |
| url |
VCID-h78a-py8h-ekgj |
| vulnerability_id |
VCID-h78a-py8h-ekgj |
| summary |
OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-43584, GHSA-vfp4-8x56-j7c5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h78a-py8h-ekgj |
|
| 84 |
| url |
VCID-hbkd-8rx2-4qb8 |
| vulnerability_id |
VCID-hbkd-8rx2-4qb8 |
| summary |
OpenClaw: Agent gateway config mutations could change protected operator settings
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `< 2026.4.20`
- Patched version: `2026.4.20`
## Impact
The agent-facing `gateway config.patch` / `config.apply` guard did not cover several operator-trusted settings, including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool could persist changes to those settings.
This is a model-to-operator guard bypass, not a remote unauthenticated gateway compromise. Severity is medium.
## Fix
OpenClaw now blocks model-driven gateway config mutations for the broader operator-trusted path set and covers per-agent overrides and array-entry patching.
Fix commit:
- `fe30b31a97a917ecc6e92f6c85378b6b20352422`
## Release
Fixed in OpenClaw `2026.4.20`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
GHSA-7jm2-g593-4qrc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hbkd-8rx2-4qb8 |
|
| 85 |
| url |
VCID-hh2g-pzbh-13ax |
| vulnerability_id |
VCID-hh2g-pzbh-13ax |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41406, GHSA-877v-w3f5-3pcq
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hh2g-pzbh-13ax |
|
| 86 |
| url |
VCID-hrnb-5t6m-jkaq |
| vulnerability_id |
VCID-hrnb-5t6m-jkaq |
| summary |
OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v |
| reference_id |
GHSA-vc32-h5mq-453v |
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:04:48Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-41910, GHSA-vc32-h5mq-453v
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hrnb-5t6m-jkaq |
|
| 87 |
| url |
VCID-jarm-du2f-1uef |
| vulnerability_id |
VCID-jarm-du2f-1uef |
| summary |
OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j |
| reference_id |
GHSA-gj9q-8w99-mp8j |
| reference_type |
|
| scores |
| 0 |
| value |
2.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:18:03Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-gj9q-8w99-mp8j |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-43529, GHSA-gj9q-8w99-mp8j
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jarm-du2f-1uef |
|
| 88 |
| url |
VCID-jdbz-6b2q-xyav |
| vulnerability_id |
VCID-jdbz-6b2q-xyav |
| summary |
OpenClaw's Gateway Control UI bootstrap config required Gateway auth
## Summary
Gateway Control UI bootstrap config required Gateway auth.
## Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22
## Impact
When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without a valid Gateway token. That response could expose sensitive bootstrap/config fields intended only for authenticated Control UI sessions.
## Fix
The bootstrap config route now goes through the same Gateway read-auth path as other authenticated Control UI reads. Regression tests cover unauthenticated rejection, valid-token access, and basePath handling.
## Fix Commit(s)
- 2321d67263bc710e357644d59f746b08d891051b
## Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.
OpenClaw thanks @zsxsoft for reporting. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-93rg-2xm5-2p9v
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jdbz-6b2q-xyav |
|
| 89 |
| url |
VCID-jj5g-2uaq-tua3 |
| vulnerability_id |
VCID-jj5g-2uaq-tua3 |
| summary |
OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious environment variables to override critical system configurations and compromise host execution integrity. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41369, GHSA-cg7q-fg22-4g98
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jj5g-2uaq-tua3 |
|
| 90 |
| url |
VCID-jnbs-cnfs-nkb5 |
| vulnerability_id |
VCID-jnbs-cnfs-nkb5 |
| summary |
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser in trusted-proxy deployments to perform unauthorized actions on HTTP operator endpoints. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41347, GHSA-mhr7-2xmv-4c4q
|
| risk_score |
3.2 |
| exploitability |
0.5 |
| weighted_severity |
6.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jnbs-cnfs-nkb5 |
|
| 91 |
| url |
VCID-jwnv-j7hq-sbh9 |
| vulnerability_id |
VCID-jwnv-j7hq-sbh9 |
| summary |
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths
## Summary
The QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set.
## Impact
When the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy.
## Affected versions
- Affected: `< 2026.4.15`
- Patched: `2026.4.15`
## Fix
OpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient.
Verified in `v2026.4.15`:
- `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path.
- `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior.
Fix commit included in `v2026.4.15` and absent from `v2026.4.14`:
- `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026
Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.15 |
| purl |
pkg:npm/openclaw@2026.4.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 1 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 2 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 3 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 4 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 5 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 6 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 7 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 8 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 9 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 10 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 11 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 12 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 13 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 14 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 15 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 16 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 17 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 18 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 19 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 20 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 21 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 22 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 23 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15 |
|
|
| aliases |
GHSA-f934-5rqf-xx47
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jwnv-j7hq-sbh9 |
|
| 92 |
| url |
VCID-jzvr-jz7v-q3h1 |
| vulnerability_id |
VCID-jzvr-jz7v-q3h1 |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41405, GHSA-p464-m8x6-vhv8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jzvr-jz7v-q3h1 |
|
| 93 |
| url |
VCID-kact-h3hk-d7eg |
| vulnerability_id |
VCID-kact-h3hk-d7eg |
| summary |
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0
## Summary
Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0.
## Affected Packages / Versions
- Package: `openclaw`
- Ecosystem: npm
- Affected versions: `< 2026.4.10`
- Patched versions: `>= 2026.4.10`
## Impact
The sandbox browser CDP relay could bind too broadly, exposing Chrome DevTools Protocol access outside the intended local/sandbox source range.
## Technical Details
The fix enforces CDP source-range restriction by default and avoids broad `0.0.0.0` exposure unless explicitly configured.
## Fix
The issue was fixed in #61404. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix.
## Fix Commit(s)
- `fbf11ebdb7110632f93926d0ac7b48f04cb44d77`
- PR: #61404
## Release Process Note
Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix.
## Credits
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
GHSA-525j-hqq2-66r4
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kact-h3hk-d7eg |
|
| 94 |
| url |
VCID-kdn3-sa62-4bef |
| vulnerability_id |
VCID-kdn3-sa62-4bef |
| summary |
OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate revoked Tlon configuration from file state, bypassing intended revocation controls. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-3pm9-5j7m-59vc |
| reference_id |
GHSA-3pm9-5j7m-59vc |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:28:29Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-3pm9-5j7m-59vc |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41388, GHSA-3pm9-5j7m-59vc
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kdn3-sa62-4bef |
|
| 95 |
| url |
VCID-kfmd-usy4-afbu |
| vulnerability_id |
VCID-kfmd-usy4-afbu |
| summary |
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF protections. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-w8g9-x8gx-crmm |
| reference_id |
GHSA-w8g9-x8gx-crmm |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:56:41Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-w8g9-x8gx-crmm |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42430, GHSA-w8g9-x8gx-crmm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kfmd-usy4-afbu |
|
| 96 |
| url |
VCID-kkqe-kjun-mufe |
| vulnerability_id |
VCID-kkqe-kjun-mufe |
| summary |
OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326 |
| reference_id |
GHSA-2767-2q9v-9326 |
| reference_type |
|
| scores |
| 0 |
| value |
8.2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 3 |
| value |
8.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-05T12:24:17Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.12 |
| purl |
pkg:npm/openclaw@2026.4.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 1 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 2 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 3 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 4 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 5 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 6 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 7 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 8 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 9 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 10 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 11 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 12 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 13 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 14 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 15 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 16 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 17 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 18 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 19 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 20 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 21 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 22 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 23 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 24 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 25 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 26 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 27 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 28 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 29 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 30 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 31 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 32 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 33 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 34 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 35 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 36 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.12 |
|
|
| aliases |
CVE-2026-43526, GHSA-2767-2q9v-9326
|
| risk_score |
3.8 |
| exploitability |
0.5 |
| weighted_severity |
7.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kkqe-kjun-mufe |
|
| 97 |
| url |
VCID-kprt-1prq-n7bt |
| vulnerability_id |
VCID-kprt-1prq-n7bt |
| summary |
OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables to circumvent proxy settings, TLS verification, Docker restrictions, and Git TLS enforcement. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-9gp8-hjxr-6f34 |
| reference_id |
GHSA-9gp8-hjxr-6f34 |
| reference_type |
|
| scores |
| 0 |
| value |
4.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:39:14Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-9gp8-hjxr-6f34 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41330, GHSA-9gp8-hjxr-6f34
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kprt-1prq-n7bt |
|
| 98 |
| url |
VCID-kxyq-t74z-p3gf |
| vulnerability_id |
VCID-kxyq-t74z-p3gf |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41385, GHSA-jjw7-3vjf-fg5j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kxyq-t74z-p3gf |
|
| 99 |
| url |
VCID-m4qc-8d4v-dbe2 |
| vulnerability_id |
VCID-m4qc-8d4v-dbe2 |
| summary |
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process code execution before the plugin is explicitly trusted. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-2qrv-rc5x-2g2h |
| reference_id |
GHSA-2qrv-rc5x-2g2h |
| reference_type |
|
| scores |
| 0 |
| value |
7.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.5 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-21T13:35:15Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-2qrv-rc5x-2g2h |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-41295, GHSA-2qrv-rc5x-2g2h
|
| risk_score |
3.9 |
| exploitability |
0.5 |
| weighted_severity |
7.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m4qc-8d4v-dbe2 |
|
| 100 |
| url |
VCID-m8ba-t6kp-3kcx |
| vulnerability_id |
VCID-m8ba-t6kp-3kcx |
| summary |
OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through symlink exploitation during file synchronization operations. Remote attackers can bypass sandbox restrictions by crafting malicious symlinks in mirror sync operations to access arbitrary files outside intended boundaries. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
|
| 1 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/openclaw/openclaw/commit/3b9dab0ece4643a9643e6a45459f5c709d3ce320 |
| reference_id |
3b9dab0ece4643a9643e6a45459f5c709d3ce320 |
| reference_type |
|
| scores |
| 0 |
| value |
6.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
9.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
|
| 2 |
| value |
7.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/commit/3b9dab0ece4643a9643e6a45459f5c709d3ce320 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1 |
| reference_id |
c02ee8a3a4cb390b23afdf21317aa8b2096854d1 |
| reference_type |
|
| scores |
| 0 |
| value |
6.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
9.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
|
| 2 |
| value |
7.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/commit/c02ee8a3a4cb390b23afdf21317aa8b2096854d1 |
|
| 6 |
|
| 7 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-cwf8-44x6-32c2 |
| reference_id |
GHSA-cwf8-44x6-32c2 |
| reference_type |
|
| scores |
| 0 |
| value |
6.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
9.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
7.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 5 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 6 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T14:37:54Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-cwf8-44x6-32c2 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41397, GHSA-cwf8-44x6-32c2
|
| risk_score |
4.3 |
| exploitability |
0.5 |
| weighted_severity |
8.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m8ba-t6kp-3kcx |
|
| 101 |
| url |
VCID-mzpq-bw9z-w7dm |
| vulnerability_id |
VCID-mzpq-bw9z-w7dm |
| summary |
OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.5 |
| purl |
pkg:npm/openclaw@2026.4.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 11 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 12 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 13 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 14 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 15 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 16 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 17 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 18 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 19 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 20 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 21 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 22 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 23 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 24 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 25 |
| vulnerability |
VCID-bpy3-pdqr-uube |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 56 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 59 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 60 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 61 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 62 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 63 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 64 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 65 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 66 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 67 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 68 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 69 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 70 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 71 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 72 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 73 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 74 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 75 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 76 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 77 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 78 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 79 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 80 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.5 |
|
|
| aliases |
CVE-2026-43570, GHSA-35mw-5vvr-vrxc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mzpq-bw9z-w7dm |
|
| 102 |
| url |
VCID-n3c5-p4ah-e7e9 |
| vulnerability_id |
VCID-n3c5-p4ah-e7e9 |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.5 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41336, GHSA-3qpv-xf3v-mm45
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n3c5-p4ah-e7e9 |
|
| 103 |
| url |
VCID-nkkj-ue4v-3ueh |
| vulnerability_id |
VCID-nkkj-ue4v-3ueh |
| summary |
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w |
| reference_id |
GHSA-5h3f-885m-v22w |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:15:14Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3f-885m-v22w |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42421, GHSA-5h3f-885m-v22w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nkkj-ue4v-3ueh |
|
| 104 |
| url |
VCID-pu7g-crjz-27c6 |
| vulnerability_id |
VCID-pu7g-crjz-27c6 |
| summary |
OpenClaw: pnpm dlx approvals did not bind local script operands
## Summary
Before OpenClaw 2026.4.2, `pnpm dlx` approval planning did not bind local script operands the same way as related `pnpm exec` flows. A local script approved through a `pnpm dlx` path could be replaced before execution without invalidating the approval.
## Impact
An operator could approve a benign local script and then execute modified script contents through the still-valid approval plan. This was an approval-integrity bug in the node-host command-planning path.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.4.1`
- Patched versions: `>= 2026.4.2`
- Latest published npm version: `2026.4.1`
## Fix Commit(s)
- `176c059b05357df1bc09d4328a2380670859eeff` — bind local scripts in `pnpm dlx` approval plans
## Release Process Note
The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.
Thanks @Kazamayc for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
GHSA-w6wx-jq6j-6mcj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pu7g-crjz-27c6 |
|
| 105 |
| url |
VCID-pyut-62r7-6fgp |
| vulnerability_id |
VCID-pyut-62r7-6fgp |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42420, GHSA-ccx3-fw7q-rr2r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pyut-62r7-6fgp |
|
| 106 |
| url |
VCID-qmnc-zfxh-87g4 |
| vulnerability_id |
VCID-qmnc-zfxh-87g4 |
| summary |
|
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-41912, GHSA-vr5g-mmx7-h897
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qmnc-zfxh-87g4 |
|
| 107 |
| url |
VCID-qpq9-cabj-a7hj |
| vulnerability_id |
VCID-qpq9-cabj-a7hj |
| summary |
OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
CVE-2026-41908, GHSA-v8qf-fr4g-28p2
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qpq9-cabj-a7hj |
|
| 108 |
| url |
VCID-qqsk-1mk9-pygw |
| vulnerability_id |
VCID-qqsk-1mk9-pygw |
| summary |
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/openclaw/openclaw/commit/95119017c847c737bd113f0bff728c4666d79c45 |
| reference_id |
95119017c847c737bd113f0bff728c4666d79c45 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 2 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/commit/95119017c847c737bd113f0bff728c4666d79c45 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3g-6xhh-rg6p |
| reference_id |
GHSA-5h3g-6xhh-rg6p |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
8.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
|
| 5 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 6 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-07T13:04:19Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-5h3g-6xhh-rg6p |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-44113, GHSA-5h3g-6xhh-rg6p
|
| risk_score |
3.8 |
| exploitability |
0.5 |
| weighted_severity |
7.5 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qqsk-1mk9-pygw |
|
| 109 |
| url |
VCID-qqz4-uy33-qya2 |
| vulnerability_id |
VCID-qqz4-uy33-qya2 |
| summary |
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and upload_image endpoints to access files beyond the intended workspace-only filesystem policy. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-5fc7-f62m-8983 |
| reference_id |
GHSA-5fc7-f62m-8983 |
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T14:39:00Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-5fc7-f62m-8983 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-41911, GHSA-5fc7-f62m-8983
|
| risk_score |
3.0 |
| exploitability |
0.5 |
| weighted_severity |
5.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qqz4-uy33-qya2 |
|
| 110 |
| url |
VCID-qt8t-f9xc-qbgp |
| vulnerability_id |
VCID-qt8t-f9xc-qbgp |
| summary |
Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-qx8j-g322-qj6m. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGuard that allows unsafe request bodies to be resent across cross-origin redirects. Attackers can exploit this by triggering redirects to exfiltrate sensitive request data or headers to unintended origins. |
| references |
| 0 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2026-40037 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2026-40037 |
|
| 1 |
|
| 2 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
GHSA-pg8g-f2hf-x82m
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qt8t-f9xc-qbgp |
|
| 111 |
| url |
VCID-qujt-gddx-ckbm |
| vulnerability_id |
VCID-qujt-gddx-ckbm |
| summary |
OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to preserve or mint roles and scopes that had not undergone intended approval. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54 |
| reference_id |
GHSA-whf9-3hcx-gq54 |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:03:32Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-whf9-3hcx-gq54 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42422, GHSA-whf9-3hcx-gq54
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qujt-gddx-ckbm |
|
| 112 |
| url |
VCID-r75w-jwbm-dyew |
| vulnerability_id |
VCID-r75w-jwbm-dyew |
| summary |
OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-57r2-h2wj-g887 |
| reference_id |
GHSA-57r2-h2wj-g887 |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
1.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U |
|
| 3 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-12T13:52:52Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-57r2-h2wj-g887 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
CVE-2026-44999, GHSA-57r2-h2wj-g887
|
| risk_score |
2.9 |
| exploitability |
0.5 |
| weighted_severity |
5.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-r75w-jwbm-dyew |
|
| 113 |
| url |
VCID-rffw-fgxm-1ue9 |
| vulnerability_id |
VCID-rffw-fgxm-1ue9 |
| summary |
|
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-41398, GHSA-4p4f-fc8q-84m3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rffw-fgxm-1ue9 |
|
| 114 |
| url |
VCID-rm55-3hs1-23b4 |
| vulnerability_id |
VCID-rm55-3hs1-23b4 |
| summary |
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without the operator.admin scope requirement. Attackers can bypass re-pairing authentication to execute privileged commands on the local assistant system. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42432, GHSA-5wj5-87vq-39xm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rm55-3hs1-23b4 |
|
| 115 |
| url |
VCID-rr2j-c7md-57gj |
| vulnerability_id |
VCID-rr2j-c7md-57gj |
| summary |
OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-jwrq-8g5x-5fhm |
| reference_id |
GHSA-jwrq-8g5x-5fhm |
| reference_type |
|
| scores |
| 0 |
| value |
6.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N |
|
| 3 |
| value |
7.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T12:07:14Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-jwrq-8g5x-5fhm |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.14 |
| purl |
pkg:npm/openclaw@2026.4.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 1 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 2 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 3 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 4 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 5 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 6 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 7 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 8 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 9 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 10 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 11 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 12 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 13 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 14 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 15 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 16 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 17 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 18 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 19 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 20 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 21 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 22 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 23 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 24 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 25 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 26 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 27 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 28 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 29 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14 |
|
|
| aliases |
CVE-2026-43535, GHSA-jwrq-8g5x-5fhm
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rr2j-c7md-57gj |
|
| 116 |
| url |
VCID-sbxm-vwhw-9fhd |
| vulnerability_id |
VCID-sbxm-vwhw-9fhd |
| summary |
OpenClaw's exec allowlist analysis rejects shell expansion in unquoted heredocs
## Summary
Exec allowlist analysis rejects shell expansion in unquoted heredocs
## Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22
## Impact
An allowlisted command containing an unquoted heredoc could hide shell expansion in the heredoc body. That could make the approved command text look safer than what the shell would evaluate at runtime.
## Fix
The exec command analyzer now tracks heredoc bodies, rejects unquoted heredoc expansion tokens and continuation-splice bypasses, and preserves quoted heredocs and literal safe text.
## Fix Commit(s)
- b2e8b7d4bb2f22eaa16f5c4b07547774e90b65a5
## Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.
Thanks @VladimirEliTokarev for reporting. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-x3h8-jrgh-p8jx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sbxm-vwhw-9fhd |
|
| 117 |
| url |
VCID-sqr6-smfg-uqdy |
| vulnerability_id |
VCID-sqr6-smfg-uqdy |
| summary |
OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by sending requests to this endpoint, bypassing authorization controls. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-5hff-46vh-rxmw |
| reference_id |
GHSA-5hff-46vh-rxmw |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 3 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T17:34:13Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-5hff-46vh-rxmw |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-41298, GHSA-5hff-46vh-rxmw
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sqr6-smfg-uqdy |
|
| 118 |
| url |
VCID-sqxg-9akn-j7az |
| vulnerability_id |
VCID-sqxg-9akn-j7az |
| summary |
OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handling for shared secrets. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h |
| reference_id |
GHSA-jj6q-rrrf-h66h |
| reference_type |
|
| scores |
| 0 |
| value |
3.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-30T12:53:09Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-41407, GHSA-jj6q-rrrf-h66h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sqxg-9akn-j7az |
|
| 119 |
| url |
VCID-t14t-27xx-83g3 |
| vulnerability_id |
VCID-t14t-27xx-83g3 |
| summary |
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user replies to bypass sender access controls and manipulate model context. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-41358, GHSA-qm77-8qjp-4vcm
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
4.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t14t-27xx-83g3 |
|
| 120 |
| url |
VCID-t2b3-n8xb-k3fn |
| vulnerability_id |
VCID-t2b3-n8xb-k3fn |
| summary |
OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-41372, GHSA-fh32-73r9-rgh5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t2b3-n8xb-k3fn |
|
| 121 |
| url |
VCID-t7nn-6cy7-2yak |
| vulnerability_id |
VCID-t7nn-6cy7-2yak |
| summary |
OpenClaw: Webchat audio embedding could read local files without local-root containment
## Impact
OpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths.
If an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check.
The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API.
## Affected Packages / Versions
- Package: `openclaw` on npm
- Affected versions: `<= 2026.4.14`
- Patched version: `2026.4.15`
The latest public release, `2026.4.21`, also contains the fix.
## Patches
The public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding.
Fix commit:
- `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde`
## Workarounds
Upgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs.
## Credits
OpenClaw thanks @zsxsoft for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.15 |
| purl |
pkg:npm/openclaw@2026.4.15 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 1 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 2 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 3 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 4 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 5 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 6 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 7 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 8 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 9 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 10 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 11 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 12 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 13 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 14 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 15 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 16 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 17 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 18 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 19 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 20 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 21 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 22 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 23 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.15 |
|
|
| aliases |
GHSA-gfg9-5357-hv4c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t7nn-6cy7-2yak |
|
| 122 |
| url |
VCID-tegh-qc36-ufha |
| vulnerability_id |
VCID-tegh-qc36-ufha |
| summary |
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `< 2026.4.20`
- Patched version: `2026.4.20`
## Impact
Bundled MCP and LSP tools could be appended to the agent's effective tool set after the normal tool-policy pipeline had already filtered core tools. If an operator configured a restrictive policy, such as a tool profile, explicit allow/deny list, owner-only tool restriction, sandbox tool policy, or subagent tool policy, a bundled MCP/LSP tool could remain available even though the same policy would have denied it.
The issue required a configured bundled MCP or LSP tool source and an operator policy that should have restricted that tool. This was a local agent policy-enforcement bypass, not an unauthenticated remote gateway compromise. Severity is medium.
## Fix
OpenClaw now applies a final effective tool policy pass to bundled MCP/LSP tools before merging them into the tool set used by normal runs and compaction. The pass covers profile policy, provider profile policy, global/agent/group policies, owner-only filtering, sandbox tool policy, and subagent tool policy.
Fix commit:
- `0e7a992d3f3155199c1acc2dd9a53c5b3a4d3ada`
## Release
Fixed in OpenClaw `2026.4.20`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
GHSA-qrp5-gfw2-gxv4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tegh-qc36-ufha |
|
| 123 |
| url |
VCID-tgnw-vne2-2kc1 |
| vulnerability_id |
VCID-tgnw-vne2-2kc1 |
| summary |
OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads
## Summary
Browser interaction routes could pivot into local CDP and regain file reads.
## Affected Packages / Versions
- Package: `openclaw`
- Ecosystem: npm
- Affected versions: `< 2026.4.9`
- Patched versions: `>= 2026.4.9`
## Impact
Browser act/evaluate interactions could trigger navigation into the local CDP origin and then create or read disallowed `file://` pages despite direct navigation guards.
## Technical Details
The fix re-checks browser URLs after interaction-driven navigations and blocks targets that violate the configured navigation policy.
## Fix
The issue was fixed in #63226. The first stable tag containing the fix is `v2026.4.9`, and `openclaw@2026.4.14` includes the fix.
## Fix Commit(s)
- `5f5b3d733bdd791cb457f838514179e1288b10b3`
- PR: #63226
## Release Process Note
Users should upgrade to `openclaw` 2026.4.9 or newer. The latest npm release, `2026.4.14`, already includes the fix.
## Credits
Thanks to @tdjackey for reporting this issue. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.9 |
| purl |
pkg:npm/openclaw@2026.4.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-bdss-ct5q-cyak |
|
| 20 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 21 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 22 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 23 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 24 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 25 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 26 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 27 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 28 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 29 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 30 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 54 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 55 |
| vulnerability |
VCID-vbfg-fz5c-9yde |
|
| 56 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 57 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 58 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9 |
|
|
| aliases |
GHSA-qmwg-qprg-3j38
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tgnw-vne2-2kc1 |
|
| 124 |
| url |
VCID-tm7a-1rzn-5yak |
| vulnerability_id |
VCID-tm7a-1rzn-5yak |
| summary |
OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade
## Impact
Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade.
Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.4.2`
- Patched versions: `2026.4.8`
## Fix
The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.
## Verification
The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.
## Credits
Thanks @tdjackey for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
GHSA-gfmx-pph7-g46x
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tm7a-1rzn-5yak |
|
| 125 |
| url |
VCID-tm94-jwz9-kkd6 |
| vulnerability_id |
VCID-tm94-jwz9-kkd6 |
| summary |
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook signatures to bypass replay detection while maintaining valid signature verification. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41351, GHSA-37v6-fxx8-xjmx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tm94-jwz9-kkd6 |
|
| 126 |
| url |
VCID-tyz3-w2hm-gqg7 |
| vulnerability_id |
VCID-tyz3-w2hm-gqg7 |
| summary |
OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint access can exfiltrate operator credentials through DNS steering manipulation. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-q9w8-cf67-r238 |
| reference_id |
GHSA-q9w8-cf67-r238 |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
HIGH |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T12:50:17Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-q9w8-cf67-r238 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41393, GHSA-q9w8-cf67-r238
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tyz3-w2hm-gqg7 |
|
| 127 |
| url |
VCID-v3g3-zvr2-3khy |
| vulnerability_id |
VCID-v3g3-zvr2-3khy |
| summary |
OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets
## Summary
Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if `event_name` and `message_id` matched.
## Impact
An attacker who controlled one authenticated Zalo webhook path in a multi-account gateway deployment could cause silent message suppression on a different Zalo account sharing that gateway. This was an availability issue; it did not provide cross-account authentication or data access.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `>= 2026.2.19, < 2026.3.31`
- Patched versions: `>= 2026.3.31`
- Latest published npm version: `2026.4.1`
## Fix Commit(s)
- `4d038bb242c11f39e45f6a4bde400e5fd42e4ebf` — scope webhook replay dedupe per target
- `7cea7c29705b188b464cc9cdc107c275b94b2a72` — follow-up hardening to scope replay dedupe by path and account
## Release Process Note
The initial fix shipped in OpenClaw `2026.3.31` on March 31, 2026. The current published npm release `2026.4.1` from April 1, 2026 also contains follow-up hardening for the same surface.
Thanks @nexrin for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
GHSA-fqrj-m88p-qf3v
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v3g3-zvr2-3khy |
|
| 128 |
| url |
VCID-v3u2-k16m-9kdp |
| vulnerability_id |
VCID-v3u2-k16m-9kdp |
| summary |
OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.14 |
| purl |
pkg:npm/openclaw@2026.4.14 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 1 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 2 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 3 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 4 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 5 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 6 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 7 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 8 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 9 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 10 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 11 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 12 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 13 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 14 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 15 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 16 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 17 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 18 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 19 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 20 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 21 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 22 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 23 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 24 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 25 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 26 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 27 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 28 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 29 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.14 |
|
|
| aliases |
CVE-2026-43528, GHSA-8372-7vhw-cm6q
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v3u2-k16m-9kdp |
|
| 129 |
| url |
VCID-v6e8-g5w8-k3ax |
| vulnerability_id |
VCID-v6e8-g5w8-k3ax |
| summary |
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `< 2026.4.20`
- Patched version: `2026.4.20`
## Impact
Browser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a private-network or metadata endpoint and later be probed by normal profile status flows.
Default trusted-operator browser behavior allows private-network CDP endpoints, so this only affected strict-mode deployments. Severity is low.
## Fix
OpenClaw now checks CDP endpoints against the browser SSRF policy during profile creation and reachability operations.
Fix commits:
- `1fd049e3074cac72f6734a7fe88468c84f5f8bd7`
- `e90c89cf8b1459f2aa1f3a665be67392b6c03fdf`
## Release
Fixed in OpenClaw `2026.4.20`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
GHSA-j4c5-89f5-f3pm
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v6e8-g5w8-k3ax |
|
| 130 |
| url |
VCID-vpee-kdhr-xuf3 |
| vulnerability_id |
VCID-vpee-kdhr-xuf3 |
| summary |
|
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
|
| 1 |
| value |
7.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41373, GHSA-g8xp-qx39-9jq9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vpee-kdhr-xuf3 |
|
| 131 |
| url |
VCID-wje6-u94m-h3d5 |
| vulnerability_id |
VCID-wje6-u94m-h3d5 |
| summary |
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch() calls to access internal resources or interact with external services on behalf of the affected system. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-9q7v-8mr7-g23p |
| reference_id |
GHSA-9q7v-8mr7-g23p |
| reference_type |
|
| scores |
| 0 |
| value |
6.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T16:02:24Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-9q7v-8mr7-g23p |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41302, GHSA-9q7v-8mr7-g23p
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wje6-u94m-h3d5 |
|
| 132 |
| url |
VCID-wks9-hb2x-f7et |
| vulnerability_id |
VCID-wks9-hb2x-f7et |
| summary |
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stale-role validation gaps and improper channel name validation to gain unauthorized access to restricted voice channels. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-x2m8-53h4-6hch |
| reference_id |
GHSA-x2m8-53h4-6hch |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N |
|
| 3 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:33:03Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-x2m8-53h4-6hch |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41382, GHSA-x2m8-53h4-6hch
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
4.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wks9-hb2x-f7et |
|
| 133 |
| url |
VCID-wwx4-qepr-6ue8 |
| vulnerability_id |
VCID-wwx4-qepr-6ue8 |
| summary |
OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values. Attackers can manipulate these OpenShell config paths to cause mirror sync operations to delete unintended remote directory contents and replace them with uploaded workspace data. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x |
| reference_id |
GHSA-m34q-h93w-vg5x |
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T19:49:59Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-m34q-h93w-vg5x |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-41383, GHSA-m34q-h93w-vg5x
|
| risk_score |
3.6 |
| exploitability |
0.5 |
| weighted_severity |
7.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wwx4-qepr-6ue8 |
|
| 134 |
| url |
VCID-x5a1-bdbv-2fbv |
| vulnerability_id |
VCID-x5a1-bdbv-2fbv |
| summary |
OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
6.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/openclaw/openclaw/commit/dbfcef319618158fa40b31cdac386ea34c392c0c |
| reference_id |
dbfcef319618158fa40b31cdac386ea34c392c0c |
| reference_type |
|
| scores |
| 0 |
| value |
7.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
6.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:49:24Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/commit/dbfcef319618158fa40b31cdac386ea34c392c0c |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc |
| reference_id |
GHSA-7wv4-cc7p-jhxc |
| reference_type |
|
| scores |
| 0 |
| value |
7.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 5 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 6 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:49:24Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-7wv4-cc7p-jhxc |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.9 |
| purl |
pkg:npm/openclaw@2026.4.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-bdss-ct5q-cyak |
|
| 20 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 21 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 22 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 23 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 24 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 25 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 26 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 27 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 28 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 29 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 30 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 54 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 55 |
| vulnerability |
VCID-vbfg-fz5c-9yde |
|
| 56 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 57 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 58 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.9 |
|
|
| aliases |
CVE-2026-43531, GHSA-7wv4-cc7p-jhxc
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x5a1-bdbv-2fbv |
|
| 135 |
| url |
VCID-xdcp-b977-e3bm |
| vulnerability_id |
VCID-xdcp-b977-e3bm |
| summary |
OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options like --rcfile, --init-file, and --startup-file to load attacker-chosen initialization files while bypassing exec allowlist matching restrictions. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/openclaw/openclaw/commit/0c8375424620e12777ef24c162eedc7e9fcfd7e3 |
| reference_id |
0c8375424620e12777ef24c162eedc7e9fcfd7e3 |
| reference_type |
|
| scores |
| 0 |
| value |
6.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
5.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 3 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:18:08Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/commit/0c8375424620e12777ef24c162eedc7e9fcfd7e3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-wpc6-37g7-8q4w |
| reference_id |
GHSA-wpc6-37g7-8q4w |
| reference_type |
|
| scores |
| 0 |
| value |
6.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
5.4 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 5 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 6 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T12:18:08Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-wpc6-37g7-8q4w |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41392, GHSA-wpc6-37g7-8q4w
|
| risk_score |
3.3 |
| exploitability |
0.5 |
| weighted_severity |
6.6 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xdcp-b977-e3bm |
|
| 136 |
| url |
VCID-xhej-v61s-vkht |
| vulnerability_id |
VCID-xhej-v61s-vkht |
| summary |
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairing approval restrictions to gain unauthorized access to exec-capable nodes. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf |
| reference_id |
GHSA-67mf-f936-ppxf |
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
8.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-29T18:25:43Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-67mf-f936-ppxf |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
CVE-2026-42426, GHSA-67mf-f936-ppxf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
7.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xhej-v61s-vkht |
|
| 137 |
| url |
VCID-xsbb-51rw-p7e8 |
| vulnerability_id |
VCID-xsbb-51rw-p7e8 |
| summary |
OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should be filtered by sender allowlists, bypassing message filtering restrictions. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-chfm-xgc4-47rj |
| reference_id |
GHSA-chfm-xgc4-47rj |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
LOW |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
2.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N |
|
| 3 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-28T13:54:54Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-chfm-xgc4-47rj |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41365, GHSA-chfm-xgc4-47rj
|
| risk_score |
2.5 |
| exploitability |
0.5 |
| weighted_severity |
4.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xsbb-51rw-p7e8 |
|
| 138 |
| url |
VCID-xttb-bfmd-uyfh |
| vulnerability_id |
VCID-xttb-bfmd-uyfh |
| summary |
OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.7 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
|
| 1 |
| value |
4.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.10 |
| purl |
pkg:npm/openclaw@2026.4.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 4 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 5 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 6 |
| vulnerability |
VCID-6qbs-72h8-gua4 |
|
| 7 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 8 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 9 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 10 |
| vulnerability |
VCID-9c2u-hch4-8qbj |
|
| 11 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 12 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 13 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 14 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 15 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 16 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 17 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 18 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 19 |
| vulnerability |
VCID-cvqa-cn56-kuh1 |
|
| 20 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 21 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 22 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 23 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 24 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 25 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 26 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 27 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 28 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 29 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 30 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 31 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 32 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 33 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 34 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 35 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 36 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 37 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 38 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 39 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 40 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 41 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.10 |
|
|
| aliases |
CVE-2026-43580, GHSA-536q-mj95-h29h
|
| risk_score |
3.5 |
| exploitability |
0.5 |
| weighted_severity |
6.9 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xttb-bfmd-uyfh |
|
| 139 |
| url |
VCID-xv1n-1wbt-8ydw |
| vulnerability_id |
VCID-xv1n-1wbt-8ydw |
| summary |
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the replay process. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41337, GHSA-89r3-6x4j-v7wf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xv1n-1wbt-8ydw |
|
| 140 |
| url |
VCID-y5k6-v1cj-cqg6 |
| vulnerability_id |
VCID-y5k6-v1cj-cqg6 |
| summary |
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9 |
| reference_id |
GHSA-q8ff-7ffm-m3r9 |
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
5.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-12T16:10:40Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-q8ff-7ffm-m3r9 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-45005, GHSA-q8ff-7ffm-m3r9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y5k6-v1cj-cqg6 |
|
| 141 |
| url |
VCID-y922-jg2a-6fff |
| vulnerability_id |
VCID-y922-jg2a-6fff |
| summary |
OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to cause resource or billing consumption by initiating audio preflight operations before authorization checks are applied. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41331, GHSA-m6fx-m8hc-572m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y922-jg2a-6fff |
|
| 142 |
| url |
VCID-y927-u929-17bd |
| vulnerability_id |
VCID-y927-u929-17bd |
| summary |
OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel
## Impact
Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel.
An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.4.2`
- Patched versions: `2026.4.8`
## Fix
The issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.
## Verification
The fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.
## Credits
Thanks @tdjackey for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.8 |
| purl |
pkg:npm/openclaw@2026.4.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 6 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 7 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 8 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 9 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 10 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 11 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 12 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 13 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 14 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 15 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 16 |
| vulnerability |
VCID-a727-qa7y-y3hf |
|
| 17 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 18 |
| vulnerability |
VCID-b158-4js1-77de |
|
| 19 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 20 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 21 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 22 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 23 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 24 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 25 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 26 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 27 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 28 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 29 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 30 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 31 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 32 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 33 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 34 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 35 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 36 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 37 |
| vulnerability |
VCID-hwyc-kv1j-1yhm |
|
| 38 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 39 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 40 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 41 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 42 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 43 |
| vulnerability |
VCID-ns2g-q3vb-akcm |
|
| 44 |
| vulnerability |
VCID-nue7-qr3q-e3h4 |
|
| 45 |
| vulnerability |
VCID-qcd6-fjdp-hyam |
|
| 46 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 47 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 48 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 49 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 50 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 51 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 52 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 53 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 54 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 55 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 56 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 57 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 58 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 59 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.8 |
|
|
| aliases |
GHSA-jf56-mccx-5f3f
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y927-u929-17bd |
|
| 143 |
| url |
VCID-yjb1-4y48-a7g6 |
| vulnerability_id |
VCID-yjb1-4y48-a7g6 |
| summary |
OpenClaw: Windows-compatible env override keys could bypass system.run approval binding
## Summary
Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time.
## Impact
An approved command could run with attacker-chosen environment overrides that were not represented in the approval binding. This created an approval-integrity gap for affected host-exec flows.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.4.1`
- Patched versions: `>= 2026.4.2`
- Latest published npm version: `2026.4.1`
## Fix Commit(s)
- `7eb094a00d80e9f6bf0e62f2c45d3b88ff67c04d` — align approval binding with execution-time env-key normalization
## Release Process Note
The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.
Thanks @iskindar for reporting, and thanks @wsparks-vc for coordination. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
GHSA-98ch-45wp-ch47
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yjb1-4y48-a7g6 |
|
| 144 |
| url |
VCID-yqjc-khg8-uyb4 |
| vulnerability_id |
VCID-yqjc-khg8-uyb4 |
| summary |
OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.5 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.20 |
| purl |
pkg:npm/openclaw@2026.4.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 1 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 2 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 3 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 4 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 5 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 6 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 7 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 8 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 9 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 10 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 11 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.20 |
|
|
| aliases |
CVE-2026-44114, GHSA-hxvm-xjvf-93f3
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yqjc-khg8-uyb4 |
|
| 145 |
| url |
VCID-z438-846q-27f3 |
| vulnerability_id |
VCID-z438-846q-27f3 |
| summary |
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated redirects. The marketplace.ts module fails to restrict redirect destinations during archive downloads, enabling remote attackers to redirect requests to arbitrary internal or external servers. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-vjx8-8p7h-82gr |
| reference_id |
GHSA-vjx8-8p7h-82gr |
| reference_type |
|
| scores |
| 0 |
| value |
7.6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 2 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N |
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-21T13:41:27Z/ |
|
|
| url |
https://github.com/openclaw/openclaw/security/advisories/GHSA-vjx8-8p7h-82gr |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41297, GHSA-vjx8-8p7h-82gr
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z438-846q-27f3 |
|
| 146 |
| url |
VCID-zmfp-x82c-3kcd |
| vulnerability_id |
VCID-zmfp-x82c-3kcd |
| summary |
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41352, GHSA-xj9w-5r6q-x6v4
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zmfp-x82c-3kcd |
|
| 147 |
| url |
VCID-zqds-fryf-tbgv |
| vulnerability_id |
VCID-zqds-fryf-tbgv |
| summary |
OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read
## Summary
Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read
## Current Maintainer Triage
- Normalized severity: medium
- Assessment: v2026.3.28 ACP dispatch still reads attachment paths outside the guarded attachment-cache or root checks, and the root-enforcement fix is not yet shipped.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `566fb73d9da2d73c0be0d9b8e5b762e4dcd8e81d` — 2026-03-30T14:04:02+01:00
OpenClaw thanks @north-echo for reporting. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
GHSA-58q2-7r52-jq62
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zqds-fryf-tbgv |
|
| 148 |
| url |
VCID-zw9g-abft-skg9 |
| vulnerability_id |
VCID-zw9g-abft-skg9 |
| summary |
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook endpoint with concurrent requests before signature verification to exhaust resources and degrade service availability. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.3.31 |
| purl |
pkg:npm/openclaw@2026.3.31 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-45as-yk5j-dug2 |
|
| 8 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 9 |
| vulnerability |
VCID-5c35-mfrw-r3fg |
|
| 10 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 11 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 12 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 13 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 14 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 15 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 16 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 17 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 18 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 19 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 20 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 21 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 22 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 23 |
| vulnerability |
VCID-9vbr-88pv-hudj |
|
| 24 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 25 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 26 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 27 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 28 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 29 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 30 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 31 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 32 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 33 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 34 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 35 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 36 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 37 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 38 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 39 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 40 |
| vulnerability |
VCID-e351-abpr-7fhx |
|
| 41 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 42 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 43 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 44 |
| vulnerability |
VCID-eju9-rz5x-1bbk |
|
| 45 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 46 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 47 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 48 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 49 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 50 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 51 |
| vulnerability |
VCID-h6wv-azua-wkgw |
|
| 52 |
| vulnerability |
VCID-h77b-c2kq-8kej |
|
| 53 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 54 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 55 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 56 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 57 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 58 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 59 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 60 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 61 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 62 |
| vulnerability |
VCID-m4qc-8d4v-dbe2 |
|
| 63 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 64 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 65 |
| vulnerability |
VCID-pu7g-crjz-27c6 |
|
| 66 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 67 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 68 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 69 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 70 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 71 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 72 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 73 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 74 |
| vulnerability |
VCID-rffw-fgxm-1ue9 |
|
| 75 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 76 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 77 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 78 |
| vulnerability |
VCID-sqr6-smfg-uqdy |
|
| 79 |
| vulnerability |
VCID-sqxg-9akn-j7az |
|
| 80 |
| vulnerability |
VCID-t14t-27xx-83g3 |
|
| 81 |
| vulnerability |
VCID-t2b3-n8xb-k3fn |
|
| 82 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 83 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 84 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 85 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 86 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 87 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 88 |
| vulnerability |
VCID-wwx4-qepr-6ue8 |
|
| 89 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 90 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 91 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 92 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 93 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 94 |
| vulnerability |
VCID-yjb1-4y48-a7g6 |
|
| 95 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
| 96 |
| vulnerability |
VCID-zxc5-3vhg-b3hw |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.3.31 |
|
|
| aliases |
CVE-2026-41343, GHSA-qcc3-jqwp-5vh2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zw9g-abft-skg9 |
|
| 149 |
| url |
VCID-zxc5-3vhg-b3hw |
| vulnerability_id |
VCID-zxc5-3vhg-b3hw |
| summary |
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/openclaw/openclaw |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/openclaw/openclaw |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/openclaw@2026.4.2 |
| purl |
pkg:npm/openclaw@2026.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1f2r-y41u-y7b4 |
|
| 1 |
| vulnerability |
VCID-1kns-bfm7-wqa7 |
|
| 2 |
| vulnerability |
VCID-1qnh-qhcx-63et |
|
| 3 |
| vulnerability |
VCID-24x5-nkt2-wbg7 |
|
| 4 |
| vulnerability |
VCID-27ud-w29j-cbeq |
|
| 5 |
| vulnerability |
VCID-2d5p-gd51-3bfc |
|
| 6 |
| vulnerability |
VCID-2p3a-gmxy-37gx |
|
| 7 |
| vulnerability |
VCID-4qqv-57ws-4yb3 |
|
| 8 |
| vulnerability |
VCID-5uvn-998w-hfds |
|
| 9 |
| vulnerability |
VCID-5zh4-jn4s-akc9 |
|
| 10 |
| vulnerability |
VCID-65nh-ys6n-77ag |
|
| 11 |
| vulnerability |
VCID-6ce4-zpfh-pybu |
|
| 12 |
| vulnerability |
VCID-6w88-6bts-sudv |
|
| 13 |
| vulnerability |
VCID-7j27-ndq2-mfht |
|
| 14 |
| vulnerability |
VCID-7z3d-j9p7-kqed |
|
| 15 |
| vulnerability |
VCID-82aq-wxf5-aka8 |
|
| 16 |
| vulnerability |
VCID-84ms-aakm-x3dc |
|
| 17 |
| vulnerability |
VCID-8h62-5c5b-cbdt |
|
| 18 |
| vulnerability |
VCID-8h7u-pr1w-z7df |
|
| 19 |
| vulnerability |
VCID-925q-556p-q3f6 |
|
| 20 |
| vulnerability |
VCID-9u9n-s6sc-2bhw |
|
| 21 |
| vulnerability |
VCID-9xv8-jtc8-ekcr |
|
| 22 |
| vulnerability |
VCID-9zkk-mp8b-kbbg |
|
| 23 |
| vulnerability |
VCID-a4pw-9uzw-47ge |
|
| 24 |
| vulnerability |
VCID-aegc-6ab1-k7hk |
|
| 25 |
| vulnerability |
VCID-afjz-us2v-k7ak |
|
| 26 |
| vulnerability |
VCID-bvyn-2c5r-4bce |
|
| 27 |
| vulnerability |
VCID-c3fa-2u7p-pkgn |
|
| 28 |
| vulnerability |
VCID-c3hg-hct8-eqbv |
|
| 29 |
| vulnerability |
VCID-c8dt-7z8a-qufe |
|
| 30 |
| vulnerability |
VCID-c8mh-j256-j3aa |
|
| 31 |
| vulnerability |
VCID-cbdg-vzrj-puc2 |
|
| 32 |
| vulnerability |
VCID-cf4u-fs5p-3ue3 |
|
| 33 |
| vulnerability |
VCID-cfj6-nuq4-wudw |
|
| 34 |
| vulnerability |
VCID-crh9-tw4p-2bgr |
|
| 35 |
| vulnerability |
VCID-d34s-z46v-gygk |
|
| 36 |
| vulnerability |
VCID-e327-pu9e-x7gh |
|
| 37 |
| vulnerability |
VCID-e8sz-63dk-tfbs |
|
| 38 |
| vulnerability |
VCID-eaeg-e381-nyh5 |
|
| 39 |
| vulnerability |
VCID-eefn-gpc1-mfdx |
|
| 40 |
| vulnerability |
VCID-f22e-sy58-g7fb |
|
| 41 |
| vulnerability |
VCID-f925-x5qa-buav |
|
| 42 |
| vulnerability |
VCID-f95y-gnx3-wydp |
|
| 43 |
| vulnerability |
VCID-fcfw-yctj-v3cy |
|
| 44 |
| vulnerability |
VCID-fgkb-fmuq-wffh |
|
| 45 |
| vulnerability |
VCID-gd62-paxx-abgy |
|
| 46 |
| vulnerability |
VCID-h78a-py8h-ekgj |
|
| 47 |
| vulnerability |
VCID-hbkd-8rx2-4qb8 |
|
| 48 |
| vulnerability |
VCID-hrnb-5t6m-jkaq |
|
| 49 |
| vulnerability |
VCID-jarm-du2f-1uef |
|
| 50 |
| vulnerability |
VCID-jdbz-6b2q-xyav |
|
| 51 |
| vulnerability |
VCID-jwnv-j7hq-sbh9 |
|
| 52 |
| vulnerability |
VCID-kact-h3hk-d7eg |
|
| 53 |
| vulnerability |
VCID-kfmd-usy4-afbu |
|
| 54 |
| vulnerability |
VCID-kkqe-kjun-mufe |
|
| 55 |
| vulnerability |
VCID-mzpq-bw9z-w7dm |
|
| 56 |
| vulnerability |
VCID-nkkj-ue4v-3ueh |
|
| 57 |
| vulnerability |
VCID-pyut-62r7-6fgp |
|
| 58 |
| vulnerability |
VCID-qmnc-zfxh-87g4 |
|
| 59 |
| vulnerability |
VCID-qpq9-cabj-a7hj |
|
| 60 |
| vulnerability |
VCID-qqsk-1mk9-pygw |
|
| 61 |
| vulnerability |
VCID-qqz4-uy33-qya2 |
|
| 62 |
| vulnerability |
VCID-qt8t-f9xc-qbgp |
|
| 63 |
| vulnerability |
VCID-qujt-gddx-ckbm |
|
| 64 |
| vulnerability |
VCID-r75w-jwbm-dyew |
|
| 65 |
| vulnerability |
VCID-rm55-3hs1-23b4 |
|
| 66 |
| vulnerability |
VCID-rr2j-c7md-57gj |
|
| 67 |
| vulnerability |
VCID-sbxm-vwhw-9fhd |
|
| 68 |
| vulnerability |
VCID-t7nn-6cy7-2yak |
|
| 69 |
| vulnerability |
VCID-tegh-qc36-ufha |
|
| 70 |
| vulnerability |
VCID-tgnw-vne2-2kc1 |
|
| 71 |
| vulnerability |
VCID-tm7a-1rzn-5yak |
|
| 72 |
| vulnerability |
VCID-v3u2-k16m-9kdp |
|
| 73 |
| vulnerability |
VCID-v6e8-g5w8-k3ax |
|
| 74 |
| vulnerability |
VCID-x5a1-bdbv-2fbv |
|
| 75 |
| vulnerability |
VCID-xhej-v61s-vkht |
|
| 76 |
| vulnerability |
VCID-xttb-bfmd-uyfh |
|
| 77 |
| vulnerability |
VCID-y5k6-v1cj-cqg6 |
|
| 78 |
| vulnerability |
VCID-y927-u929-17bd |
|
| 79 |
| vulnerability |
VCID-yqjc-khg8-uyb4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/openclaw@2026.4.2 |
|
|
| aliases |
CVE-2026-41339, GHSA-2f7j-rp58-mr42
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zxc5-3vhg-b3hw |
|