Total CVEs

143,226

Critical Severity

4,056

High Severity

14,605

Last 7 Days

1,273
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 221 - 240 of 548 CVEs
CVE-2026-41341 MEDIUM - 5.4

OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or t...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41340 MEDIUM - 6.5

OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named a...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41339 MEDIUM - 4.3

OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41338 MEDIUM - 5.0

OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir operations to manipulate files between validation and execution.

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41337 MEDIUM - 5.3

OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid callbacks for live calls can exploit this to manipulate callback origins during the...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41336 HIGH - 7.8

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted workspaces to execute arbitrary code.

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41335 MEDIUM - 5.3

OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and ag...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41334 MEDIUM - 6.5

OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized images to cause denial of service through excessive memory consumption.

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD

OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket authentication flow to bypass rate limiting controls and conduct brute for...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41332 MEDIUM - 5.3

OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through attacker-controlled configuration files...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41909 MEDIUM - 5.4

OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same ...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41908 MEDIUM - 4.3

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retr...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 23, 2026
Source: NVD
CVE-2026-41331 MEDIUM - 5.3

OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to cause resource or billing consumption by initiatin...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 21, 2026
Source: NVD
CVE-2026-41330 MEDIUM - 4.4

OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables to circumvent proxy settings, TLS verification, Do...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 21, 2026
Source: NVD
CVE-2026-41329 CRITICAL - 9.9

OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege ...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 21, 2026
Source: NVD
CVE-2026-41303 HIGH - 8.8

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending host e...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 21, 2026
Source: NVD
CVE-2026-41302 HIGH - 7.6

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers can exploit unguarded fetch() calls to access internal resources or interact with external servic...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 21, 2026
Source: NVD
CVE-2026-41301 MEDIUM - 5.3

OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairing ...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 21, 2026
Source: NVD
CVE-2026-41300 MEDIUM - 6.5

OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having their discovered URL survive the trust decline process into manual prompts requiring oper...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 21, 2026
Source: NVD
CVE-2026-41299 HIGH - 7.1

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket handshake rather than verified authorization state. Authenticated operator clients can spoof ACP identit...

Vendor: OpenClaw
Product: OpenClaw
Published: Apr 21, 2026
Source: NVD