Openclaw
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Openclaw.
By the Year
In 2026 there have been 504 vulnerabilities in Openclaw with an average score of 6.7 out of ten.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 504 | 6.70 |
It may take a day or so for new Openclaw vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Openclaw Security Vulnerabilities
OpenClaw <=2026.5.12 Allowlist Bypass in Shell Inline-Command Parser
CVE-2026-53866
8.1 - High
- June 16, 2026
OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.
AuthZ
OpenClaw 2026.5.2 Path Traversal via Maintenance Tasks
CVE-2026-53865
7.1 - High
- June 16, 2026
OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance operations by manipulating workspace-derived environment paths.
Untrusted Path
OpenClaw <2026.5.26: Env Sanitizer Bypass via Node.js Vars
CVE-2026-53864
8.1 - High
- June 16, 2026
OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths.
Denylist / Deny List
OpenClaw < 2026.4.25 Group ID Policy Bypass (CVE-2026-53863)
CVE-2026-53863
7.1 - High
- June 16, 2026
OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially bypassing intended access controls.
Insecure Direct Object Reference / IDOR
OpenClaw < 2026.5.12 Token Replay Escalates Pairing Authority
CVE-2026-53862
4.2 - Medium
- June 16, 2026
OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits.
Incorrect Privilege Assignment
OpenClaw <2026.5.6: Allowlist Bypass in Swift Exec (macOS)
CVE-2026-53861
6.6 - Medium
- June 16, 2026
OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.
Denylist / Deny List
OpenClaw 2026.5.6 Sender Policy Bypass via BlueBubbles Metadata
CVE-2026-53860
4.2 - Medium
- June 16, 2026
OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.
Reliance on Untrusted Inputs in a Security Decision
OpenClaw <2026.5.26 Hostname Validation Bypass via Trailing-Dot URLs
CVE-2026-53859
6.5 - Medium
- June 16, 2026
OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.
Incomplete Comparison with Missing Factors
OpenClaw 2026.5.2 Env Variable Injection
CVE-2026-53858
7.1 - High
- June 16, 2026
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local paths, potentially executing malicious code during dependency resolution.
Untrusted Path
OpenClaw < 2026.5.3: Policy Enf. Flaw via Mutable Display Meta
CVE-2026-53857
8.1 - High
- June 16, 2026
OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.
Authentication Bypass by Spoofing
OpenClaw <2026.4.24 insecure file perms in config recovery
CVE-2026-53856
5.5 - Medium
- June 16, 2026
OpenClaw 2026.4.23 before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the restored config file.
Incorrect Permission Assignment for Critical Resource
OpenClaw <2026.4.2: Inline-ev Bypass via Shell Positional Parameters
CVE-2026-53855
8.1 - High
- June 16, 2026
OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content.
Denylist / Deny List
CVE-2026-53854: OpenClaw <2026.4.25 PrivEsc via internal/webchat auth wildcard ownerAllowFrom
CVE-2026-53854
6.5 - Medium
- June 16, 2026
OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or webchat paths to execute owner-style command behavior outside intended channel scope, potentially bypassing access controls.
AuthZ
OpenClaw <2026.5.12: ArgPattern Bypass in Exec Allowlist (Linux/macOS)
CVE-2026-53853
8.3 - High
- June 16, 2026
OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution.
Protection Mechanism Failure
OpenClaw <2026.4.25: Scope Containment Bypass in Device Re-Pairing
CVE-2026-53852
5.4 - Medium
- June 16, 2026
OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests with empty scope sets to skip containment guards and retain unauthorized device access.
Failing Open
OpenClaw 2026.5.12 Notification Bypass via Slack Reactions
CVE-2026-53851
5.3 - Medium
- June 16, 2026
OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.
AuthZ
OpenClaw focus command scope bypass <2026.4.25
CVE-2026-53850
5.5 - Medium
- June 16, 2026
OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels.
AuthZ
OpenClaw <2026.5.7: Discord allowFrom uses mutable names, privilege escalation
CVE-2026-53849
8.1 - High
- June 16, 2026
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.
Authentication Bypass by Spoofing
OpenClaw Exec Allowlist Bypass < 2026.5.26
CVE-2026-53848
4.3 - Medium
- June 16, 2026
OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations.
Denylist / Deny List
OpenClaw <2026.5.6 PrivEsc: operator.write can alter global config
CVE-2026-53847
5.4 - Medium
- June 16, 2026
OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can exploit insufficient scope validation to apply unauthorized configuration changes beyond the intended write scope.
Incorrect Privilege Assignment
OpenClaw <2026.4.29 Path Traversal in Install Helper
CVE-2026-53846
7.1 - High
- June 16, 2026
OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local package-manager executables during dependency setup to compromise the build environment.
Untrusted Path
OpenClaw before 2026.5.6 Hook Bypass via Dispatch Path
CVE-2026-53845
4.3 - Medium
- June 16, 2026
OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms.
Protection Mechanism Failure
OpenClaw <2026.4.29 Session Visibility Check Bypass
CVE-2026-53844
6.5 - Medium
- June 16, 2026
OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.
AuthZ
OpenClaw <=2026.5.26: Auth Bypass via Surviving Pairing-Scoped Session
CVE-2026-53843
8.8 - High
- June 16, 2026
OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.
Insufficient Session Expiration
OpenClaw <=2026.5.2 ENV VAR Injection in Gcloud Gmail Setup
CVE-2026-53842
7.1 - High
- June 16, 2026
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON variable to execute setup through unintended local Python paths, potentially enabling arbitrary code execution.
Untrusted Path
OpenClaw <v2026.5.12 XSS in Exported Session HTML (JS: data:)
CVE-2026-53841
6.1 - Medium
- June 16, 2026
OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.
Improper Neutralization of Script in Attributes in a Web Page
OpenClaw < 2026.5.12 Info Disclosure via Cross-Origin Redirects
CVE-2026-53840
7.1 - High
- June 16, 2026
OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate sensitive headers like API keys or tenant-routing credentials to attacker-controlled origins.
Insufficiently Protected Credentials
OpenClaw <2026.5.7 Prefix Hostname Validation in retry endpoint
CVE-2026-53839
6.5 - Medium
- June 12, 2026
OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoints.
Incomplete Comparison with Missing Factors
OpenClaw <2026.5.6 Improper Access Control in Mattermost Handlers
CVE-2026-53837
3.7 - Low
- June 12, 2026
OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted content.
Failing Open
OpenClaw Pre-2026.5.27 State Mutation via Node Pairing Reconnection
CVE-2026-53838
6.5 - Medium
- June 12, 2026
OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval restrictions.
TOCTTOU
OpenClaw <2026.5.12 PowerShell encoded-command Allowlist Bypass via Alias
CVE-2026-53836
8.8 - High
- June 12, 2026
OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded-command handling that allows attackers to execute encoded commands using abbreviated flag aliases not recognized by the allowlist parser. Remote authenticated operators can bypass execution allowlist checks by using unrecognized encoded-command alias forms to execute arbitrary PowerShell content.
Denylist / Deny List
OpenClaw 2026.5.5 Config-Enforce Bypass in Feishu DynAgent Bindings
CVE-2026-53835
4.3 - Medium
- June 12, 2026
OpenClaw before 2026.5.6 contains a configuration enforcement bypass vulnerability in Feishu dynamic-agent bindings that allows authenticated senders to create or update bindings without honoring configured config-write controls. Attackers can exploit this by leveraging the dynamic-agent binding feature to change sender-agent binding state beyond intended policy, potentially enabling unauthorized binding modifications.
AuthZ
OpenClaw 2026.4.27 Auth Bypass in QQBot Pre-Dispatch Slash Commands
CVE-2026-53834
7.5 - High
- June 12, 2026
OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access control policies are applied, potentially triggering command handling from blocked senders depending on operator configuration.
AuthZ
OpenClaw QQBot Streaming Auth Bypass <2026.4.29
CVE-2026-53833
7.7 - High
- June 12, 2026
OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements.
Authentication Bypass by Spoofing
OpenClaw <2026.5.18 ID header validation flaw
CVE-2026-53832
7.7 - High
- June 12, 2026
OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity headers to assume operator identity and potentially escalate privileges.
Authentication Bypass by Spoofing
OpenClaw <2026.5.18: Sys.Run Safe-bin Allowlist Shell Expansion Flaw
CVE-2026-53831
8.3 - High
- June 12, 2026
OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expansion to modify command interpretation on POSIX nodes. Authenticated operators can exploit shell metacharacters in approved commands to read unintended node-local files and expose sensitive configuration data.
TOCTTOU
OpenClaw <2026.4.22> webhook secret revocation bypass
CVE-2026-53830
6.5 - Medium
- June 12, 2026
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials.
Insufficient Session Expiration
OpenClaw <2026.5.18: Auth Truncation exposes exec suffixes
CVE-2026-53829
8 - High
- June 12, 2026
OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval.
User Interface (UI) Misrepresentation of Critical Information
OpenClaw auth bypass via native command handling (pre2026.5.6)
CVE-2026-53828
8.8 - High
- June 12, 2026
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in native command handling that allows authenticated senders to execute owner-only commands without proper policy enforcement. Attackers can trigger native command handling to bypass the configured owner-command access control, potentially executing privileged commands from unauthorized users.
AuthZ
OpenClaw <2026.5.2: Credential Exfiltration via message.action Forwarding
CVE-2026-53827
6.5 - Medium
- June 12, 2026
OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by providing malicious loopback targets through model-controlled action metadata.
SSRF
OpenClaw 2026.4.26 Info Disclosure via Sandboxed Session Exposure
CVE-2026-53826
4.3 - Medium
- June 12, 2026
OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to reveal host workspace location or related memory context to child models.
Exposure of Resource to Wrong Sphere
OpenClaw <2026.4.7: Arbitrary File Read via Memory-Wiki Ingest
CVE-2026-53825
6.5 - Medium
- June 12, 2026
OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file paths to import file content into wiki memory, bypassing access restrictions.
Directory traversal
OpenClaw <2026.4.24: Token Revocation Allows Stale Slash Token Abuse
CVE-2026-53824
6.5 - Medium
- June 12, 2026
OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stale token acceptance to invoke slash command behavior briefly after token revocation, potentially executing unauthorized actions depending on operator configuration.
Insufficient Session Expiration
OpenClaw <2026.5.3, Slack allowFrom Privilege Escalation
CVE-2026-53823
8.1 - High
- June 12, 2026
OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other identities.
Authentication Bypass by Spoofing
OpenClaw <=2026.5.18 WS ClientScope Auth Bypass
CVE-2026-53821
8.8 - High
- June 12, 2026
OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execute admin-gated Gateway RPCs.
AuthZ
OpenClaw cmd injection before 2026.5.18 via argv
CVE-2026-53822
8.8 - High
- June 12, 2026
OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution. Attackers can rebuild command arguments after allowlist approval to execute unapproved command shapes, potentially bypassing security controls.
TOCTTOU
OpenClaw <2026.5.12 Exec Denylist Bypass via MCP Loopback Session-Spawn
CVE-2026-53820
6.6 - Medium
- June 12, 2026
OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command reach than intended.
AuthZ
OpenClaw <2026.5.27: Arbitrary Code Exec via .env Override in Skill Install
CVE-2026-53819
8.8 - High
- June 11, 2026
OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system.
Untrusted Path
OpenClaw <=2026.4.23 MCP loopback auth bypass executes owneronly tools
CVE-2026-53818
6.6 - Medium
- June 11, 2026
OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable.
AuthZ
OpenClaw <2026.5.22 Locality Validation Exploit Lets Admin Token Creation
CVE-2026-53817
8.8 - High
- June 11, 2026
OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation.
Authentication Bypass by Spoofing
