Total CVEs

143,232

Critical Severity

4,056

High Severity

14,610

Last 7 Days

1,242
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 521 - 540 of 548 CVEs
CVE-2026-27007 MEDIUM - 3.3

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made order-sensitive sandbox configuration arrays hash to the same value even when order changed. In OpenCla...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27004 MEDIUM - 5.5

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue ...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27003 MEDIUM - 5.5

OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak the bot token...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27002 HIGH - 9.8

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfined profiles) to be applied, enabling container escape or host data access. OpenClaw 2026.2.15 blocks...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27001 HIGH - 7.8

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can cause OpenClaw to run inside a directory whose name contains control/format characters (for example ...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27486 MEDIUM - 5.3

OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw process. On shared hosts, unrelated processes can...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-27487 HIGH - 7.6

OpenClaw is a personal AI assistant. In versions 2026.2.13 and below, when using macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via security add-generic-password -w .... Because OAuth tokens are user-controlled data, th...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26972 MEDIUM - 6.7

OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads direct...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26317 HIGH - 7.1

OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding reduces remote exposure but does not prevent browser-initiated requests from malicious origins. A mali...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26323 HIGH - 8.8

OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintainers (or CI) who run `bun scripts/update-clawtributors.ts` in a source checkout that contains a mali...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26329 HIGH - 6.5

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFile...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26328 MEDIUM - 6.5

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, broadening DM trust into group contexts. Version 2026.2.14 fixes the issue.

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26327 HIGH - 6.5

OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthenticated. Prior to version 2026.2.14, some clients treated TXT values as authoritative routing/pinning i...

Vendor: npm
Product: openclaw
Published: Feb 18, 2026
Source: GitHub
CVE-2026-26326 MEDIUM - 4.3

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secrets to `operator.read` clients by returning raw resolved config values in `configChecks` for skill `requires.config` paths. Version 2026.2.14 stops including raw resolved config values in requirement ...

Vendor: npm
Product: openclaw
Published: Feb 17, 2026
Source: GitHub
CVE-2026-26325 HIGH - 7.2

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be performed on one command while executing a different argv. This only impacts deployments that use the...

Vendor: npm
Product: openclaw
Published: Feb 17, 2026
Source: GitHub
CVE-2026-26324 HIGH - 7.5

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0.0.1`). This could allow requests that should be blocked (loopback / private network / link-loc...

Vendor: npm
Product: openclaw
Published: Feb 17, 2026
Source: GitHub
CVE-2026-26322 HIGH - 7.6

OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to attempt outbound WebSocket connections to user-specified targets. This requires the ability to invo...

Vendor: npm
Product: openclaw
Published: Feb 17, 2026
Source: GitHub
CVE-2026-26321 HIGH - 7.5

OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem paths and read them directly. If an attacker can influence tool calls (directly or via prompt injecti...

Vendor: npm
Product: openclaw
Published: Feb 17, 2026
Source: GitHub
CVE-2026-26320 HIGH - 6.5

OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation dialog that previously displayed only the first 240 characters of the message, but executed the full ...

Vendor: npm
Product: openclaw
Published: Feb 17, 2026
Source: GitHub
CVE-2026-26319 HIGH - 7.5

OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are ex...

Vendor: npm
Product: openclaw
Published: Feb 17, 2026
Source: GitHub