Openclaw
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Openclaw.
By the Year
In 2026 there have been 437 vulnerabilities in Openclaw with an average score of 6.7 out of ten.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 437 | 6.66 |
It may take a day or so for new Openclaw vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Openclaw Security Vulnerabilities
OpenClaw pre-2026.4.23 Improper Access Control in config.apply/patch
CVE-2026-45006
8.8 - High
- May 11, 2026
OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write unsafe configuration changes by bypassing an incomplete denylist protection. Attackers can persist malicious config modifications affecting command execution, network behavior, credentials, and operator policies that survive restart.
Denylist / Deny List
OpenClaw <2026.4.23: Webhook Route Secret Cache Flaw
CVE-2026-45005
6 - Medium
- May 11, 2026
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured webhook task flows until gateway or plugin restart.
Operation on a Resource after Expiration or Release
OpenClaw <2026.4.23 ACR via plugin setup resolver
CVE-2026-45004
7.8 - High
- May 11, 2026
OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory.
DLL preloading
OpenClaw 2026.4.20 Hook Session-Key Bypass Allows Session Key Hijack
CVE-2026-45002
5.3 - Medium
- May 11, 2026
OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls.
AuthZ
OpenClaw <2026.4.22: Workspace .env Overrides Connector Hosts (CVE202645003)
CVE-2026-45003
5 - Medium
- May 11, 2026
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime traffic to malicious endpoints by setting endpoint variables in dotenv files.
Confused Deputy
OpenClaw <=2026.4.19 Guard Bypass in Config Endpoints
CVE-2026-45001
7.1 - High
- May 11, 2026
OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoints that fails to protect operator-trusted settings including sandbox policy, plugin enablement, gateway auth/TLS, hook routing, MCP server configuration, SSRF policy, and filesystem hardening. A prompt-injected model with access to the owner-only gateway tool can persist unauthorized changes to protected operator settings.
AuthZ
OpenClaw 2026.4.20 SSRF via CDP profile creation
CVE-2026-45000
5 - Medium
- May 11, 2026
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks. Attackers can create stored profiles pointing to private-network or metadata endpoints that bypass security policies and are later probed during normal profile status operations.
SSRF
OpenClaw2026.4.20 Untrusted Label Leakage in Cron Awareness
CVE-2026-44999
5.3 - Medium
- May 11, 2026
OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering untrusted events as trusted System events.
Insufficient Verification of Data Authenticity
OpenClaw <2026.4.20 tool policy bypass (MCP/LSP)
CVE-2026-44998
5.4 - Medium
- May 11, 2026
OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions. Attackers with local agent access can append restricted tools to the effective tool set after policy filtering, bypassing profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies.
AuthZ
OpenClaw <2026.4.22: Envelope Constraint Bypass Enabling Priv Escalation
CVE-2026-44997
4.3 - Medium
- May 11, 2026
OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that bypass subagent-only constraints, potentially escalating privileges or accessing restricted resources.
Incorrect Privilege Assignment
OpenClaw <= 2026.4.15 LFI via webchat audio embedding helper
CVE-2026-44996
3.7 - Low
- May 11, 2026
OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence agent or tool-produced ReplyPayload.mediaUrl parameters to resolve absolute local paths or file URLs, read audio-like files, and embed them base64-encoded into webchat responses.
Directory traversal
OpenClaw <2026.4.20: Improper env var val in MCP stdio server exec
CVE-2026-44995
7.3 - High
- May 11, 2026
OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers.
Inclusion of Functionality from Untrusted Control Sphere
Auth Bypass in OpenClaw <2026.4.22 Control UI Bootstrap Config Endpoint
CVE-2026-44994
5.3 - Medium
- May 11, 2026
OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields. Attackers can access the bootstrap config route without a valid Gateway token to expose sensitive bootstrap and config information intended only for authenticated Control UI sessions.
AuthZ
OpenClaw <2026.4.20 Feishu Card-Action Misclassifies DM
CVE-2026-44993
5.4 - Medium
- May 11, 2026
OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations. Attackers can bypass dmPolicy enforcement by triggering card-action flows in direct message conversations that should have been blocked by restrictive policies.
Denylist / Deny List
OpenClaw 2026.4.5<2026.4.20 ENV Injection, Minimax API key leak
CVE-2026-44992
5 - Medium
- May 11, 2026
OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.
Confused Deputy
OpenClaw auth bypass in command-auth.ts before 2026.4.21
CVE-2026-44991
4.2 - Medium
- May 11, 2026
OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands like /send, /config, or /debug on affected channels to bypass owner-only command authorization checks.
AuthZ
OpenClaw <2026.1.24: Improper Auth via bluebubbles Webhook
CVE-2026-8305
7.3 - High
- May 11, 2026
A vulnerability was detected in OpenClaw up to 2026.1.24. The impacted element is the function handleBlueBubblesWebhookRequest of the file extensions/bluebubbles/src/monitor.ts of the component bluebubbles Webhook. Performing a manipulation results in improper authentication. It is possible to initiate the attack remotely. The exploit is now public and may be used. Upgrading to version 2026.2.12 is sufficient to resolve this issue. The patch is named a6653be0265f1f02b9de46c06f52ea7c81a836e6. The affected component should be upgraded.
authentification
OpenClaw < 2026.4.22: Loopback MCP Owner Context Bypass via Spoofable Tokens
CVE-2026-44118
7.8 - High
- May 06, 2026
OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata.
Authentication Bypass by Spoofing
OpenClaw SSRF in QQBot media upload before 2026.4.20
CVE-2026-44117
5.8 - Medium
- May 06, 2026
OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests.
SSRF
OpenClaw < v2026.4.22 SSRF in Zalo Plugin sendPhoto (BYPASS SSRF Guard)
CVE-2026-44116
8.6 - High
- May 06, 2026
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.
SSRF
OpenClaw <2026.4.22 exec allowlist bypass via heredoc shell expansion
CVE-2026-44115
8.8 - High
- May 06, 2026
OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to execute unapproved commands at runtime.
Denylist / Deny List
OpenClaw <2026.4.20 ENV override CVE-2026-44114
CVE-2026-44114
7.8 - High
- May 06, 2026
OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows.
Denylist / Deny List
OpenClaw <2026.4.22: TOC/TOR RCE via Symlink Swap in OpenShell FS Bridge
CVE-2026-44113
7.7 - High
- May 06, 2026
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents.
TOCTTOU
OpenClaw <2026.4.22: TOCTOU in OpenShell Sandbox FS Write
CVE-2026-44112
9.6 - Critical
- May 06, 2026
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root.
TOCTTOU
OpenClaw <=2026.4.15 A.F.R via QMD memory_get
CVE-2026-44111
4.3 - Medium
- May 06, 2026
OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with access to the memory tool can bypass path restrictions by providing arbitrary workspace Markdown paths to read files outside canonical memory locations or indexed QMD result sets.
Allowlist / Allow List
OpenClaw <2026.4.15: Auth Bypass in Feishu Webhook/Action Validation
CVE-2026-44109
9.8 - Critical
- May 06, 2026
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.
Insecure Default Initialization of Resource
OpenClaw < 2026.4.15: Matrix Control Auth Bypass via DM pairing-store
CVE-2026-44110
8.8 - High
- May 06, 2026
OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior.
AuthZ
OpenClaw <2026.4.15: Cached Bearer Auth Enables Use of Revoked Tokens
CVE-2026-43585
8.1 - High
- May 06, 2026
OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access.
Operation on a Resource after Expiration or Release
OpenClaw <2026.4.10 Env DeniLim Flaw: Override VIMINIT/EXINIT/LUA_INIT/HOSTALIASES
CVE-2026-43584
8.8 - High
- May 06, 2026
OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity.
Denylist / Deny List
OpenClaw 2026.4.10-13 Session Context Persistence Flaw (pre-14)
CVE-2026-43583
5.3 - Medium
- May 06, 2026
OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart or recovery.
AuthZ
OpenClaw <2026.4.10: SSRF via Browser Navigation Policy (DNS Rebinding)
CVE-2026-43582
6.3 - Medium
- May 06, 2026
OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs.
TOCTTOU
OpenClaw <2026.4.10 CDP Relay improper binding exposes Chrome DevTools
CVE-2026-43581
9.6 - Critical
- May 06, 2026
OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protocol outside intended local sandbox boundaries by exploiting the overly broad binding configuration.
Insecure Default Initialization of Resource
OpenClaw <2026.4.10 Navigation Guard SSRF Bypass
CVE-2026-43580
7.7 - High
- May 06, 2026
OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation.
AuthZ
OpenClaw <2026.4.10: Nostr HTTP Profile Routes Rogue Operator Persist Config
CVE-2026-43579
6.5 - Medium
- May 06, 2026
OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile settings through unprotected mutation endpoints to gain unauthorized configuration persistence.
AuthZ
OpenClaw <2026.4.10 Privileged Escalation via Async Exec
CVE-2026-43578
9.1 - Critical
- May 06, 2026
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended.
Denylist / Deny List
OpenClaw <v2026.4.9> File Read via act/evaluate Bypass
CVE-2026-43577
6.5 - Medium
- May 06, 2026
OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions.
AuthZ
OpenClaw <2026.4.5 SSRF via CDP /json/version Endpoint
CVE-2026-43576
7.7 - High
- May 06, 2026
OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks.
Open Redirect
OpenClaw <2026.4.10: noVNC Helper Auth Bypass Exposes Session Credentials
CVE-2026-43575
9.8 - Critical
- May 06, 2026
OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session.
AuthZ
OpenClaw <2026.4.12: Improper Authorization in Helper-Backed Channels
CVE-2026-43574
6.5 - Medium
- May 05, 2026
OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id.
Allowlist / Allow List
OpenClaw <2026.4.10 SSRF Policy Bypass via existing-session routes
CVE-2026-43573
7.7 - High
- May 05, 2026
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.
AuthZ
OpenClaw <2026.4.10 Plugin Trust Bypass via Catalog Lookup
CVE-2026-43571
8.8 - High
- May 05, 2026
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.
Inclusion of Functionality from Untrusted Control Sphere
Microsoft Teams SSO invoke handler missing auth before 2026.4.14
CVE-2026-43572
5.3 - Medium
- May 05, 2026
OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, allowing unauthorized access to Teams SSO signin functionality.
AuthZ
OpenClaw<2026.4.5 Symlink Traversal in Marketplace Repo
CVE-2026-43570
6.5 - Medium
- May 05, 2026
OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory.
Symlink following
OpenClaw <2026.4.9 auth bypass via autoenabled workspace plugins
CVE-2026-43569
8.8 - High
- May 05, 2026
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent.
Inclusion of Functionality from Untrusted Control Sphere
Privilege Escalation via /dreaming in OpenClaw <2026.4.10
CVE-2026-43568
6.5 - Medium
- May 05, 2026
OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges.
AuthZ
OpenClaw <2026.4.10 Path Traversal via screen_record outPath
CVE-2026-43567
6.5 - Medium
- May 05, 2026
OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system.
AuthZ
CVE-2026-43566: OpenClaw PrivEsc via Heartbeat Owner Downgrade, v<2026.4.14
CVE-2026-43566
9.1 - Critical
- May 05, 2026
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded.
Denylist / Deny List
OpenClaw 2026.4.10- Input Validation Allows Trusted Event Escalation
CVE-2026-43534
9.1 - Critical
- May 05, 2026
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context.
Insufficient Verification of Data Authenticity
OpenClaw <2026.4.14: Auth Context Reuse in Collect-Mode Queue
CVE-2026-43535
6.8 - Medium
- May 05, 2026
OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions.
Incorrect Privilege Assignment
OpenClaw <2026.4.10: Arbitrary File Read via QQBot Media Tags
CVE-2026-43533
8.6 - High
- May 05, 2026
OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.
Relative Path Traversal
