Total CVEs

143,208

Critical Severity

4,054

High Severity

14,598

Last 7 Days

1,283
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 101 - 120 of 548 CVEs
CVE-2026-43584 HIGH - 8.8

OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipul...

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-43583 MEDIUM - 5.3

OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart or recovery.

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-43582 MEDIUM - 6.3

OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivo...

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-43581 CRITICAL - 9.6

OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protocol outside intended local sandbox boundaries by exploiting the overly broad binding configuration.

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-43580 HIGH - 7.7

OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute una...

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-43579 MEDIUM - 6.5

OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile settings t...

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-43578 CRITICAL - 9.1

OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context t...

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-43577 MEDIUM - 6.5

OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions.

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-43576 HIGH - 7.7

OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to a...

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-43575 CRITICAL - 9.8

OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive...

Vendor: OpenClaw
Product: OpenClaw
Published: May 06, 2026
Source: NVD
CVE-2026-43574 MEDIUM - 6.5

OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43573 HIGH - 7.7

OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43572 MEDIUM - 5.3

OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, all...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43571 HIGH - 8.8

OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time p...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43570 MEDIUM - 6.5

OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended reposi...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43569 HIGH - 8.8

OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically select...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43568 MEDIUM - 6.5

OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43567 MEDIUM - 6.5

OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43566 CRITICAL - 9.1

OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the r...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD
CVE-2026-43535 MEDIUM - 6.8

OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a ...

Vendor: OpenClaw
Product: OpenClaw
Published: May 05, 2026
Source: NVD