Total CVEs

143,208

Critical Severity

4,054

High Severity

14,598

Last 7 Days

1,325
Quick preset (or use dates below)
Clear Filters
Showing 41 - 60 of 548 CVEs
CVE-2026-53829 HIGH - 8.0

OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval.

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 12, 2026
Source: NVD
CVE-2026-53828 HIGH - 8.8

OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in native command handling that allows authenticated senders to execute owner-only commands without proper policy enforcement. Attackers can trigger native command handling to bypass the configured owner-command access control, ...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 12, 2026
Source: NVD
CVE-2026-53827 MEDIUM - 6.5

OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by provid...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 12, 2026
Source: NVD
CVE-2026-53826 MEDIUM - 4.3

OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to reveal host workspace location or related memory context to ...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 12, 2026
Source: NVD
CVE-2026-53825 MEDIUM - 6.5

OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file pa...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 12, 2026
Source: NVD
CVE-2026-53824 MEDIUM - 6.5

OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stale token acceptance to invoke slash command behavior briefly after token revocation, potentially exec...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 12, 2026
Source: NVD
CVE-2026-53823 HIGH - 8.1

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other id...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 12, 2026
Source: NVD
CVE-2026-53822 HIGH - 8.8

OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution. Attackers can rebuild command arguments after allowlist approval to execute unapproved command shapes, potentially bypassing security controls.

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 12, 2026
Source: NVD
CVE-2026-53821 HIGH - 8.8

OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execute a...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 12, 2026
Source: NVD
CVE-2026-53820 MEDIUM - 6.6

OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command rea...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 12, 2026
Source: NVD
CVE-2026-53819 HIGH - 8.8

OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setu...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD
CVE-2026-53818 MEDIUM - 6.6

OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD
CVE-2026-53817 HIGH - 8.8

OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert tempora...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD
CVE-2026-53816 HIGH - 7.2

OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway, steering...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD
CVE-2026-53815 MEDIUM - 6.5

OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing sensi...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD
CVE-2026-53814 HIGH - 8.3

OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to ...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD
CVE-2026-53813 HIGH - 7.8

OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected workspaces can load memory-core artifacts from unintended local locations, potentially executing malicio...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD
CVE-2026-53812 HIGH - 7.7

OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger navigation to private-network targets via action-triggered redirect...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD
CVE-2026-53811 HIGH - 8.8

OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another Ma...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD
CVE-2026-53810 HIGH - 8.8

OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points, b...

Vendor: OpenClaw
Product: OpenClaw
Published: Jun 11, 2026
Source: NVD