📦 Openclaw

OpenClaw's Docker sandbox configuration injection vulnerability allows attackers to escape container isolation and access the host system. This affects OpenClaw personal AI assistant deployments using...

OpenClaw versions 2026.2.13 and below on macOS are vulnerable to OS command injection when refreshing OAuth tokens in the Keychain. This allows attackers to execute arbitrary commands with the user's ...

OpenClaw's SSRF protection could be bypassed using IPv4-mapped IPv6 addresses, allowing attackers to access restricted internal resources like localhost or private networks. This affects all OpenClaw ...

OpenClaw's Feishu extension had a path traversal vulnerability that allowed reading arbitrary local files by supplying attacker-controlled paths. This affects OpenClaw installations with the Feishu ex...

OpenClaw versions 2026.1.8 through 2026.2.13 have a command injection vulnerability in a developer script that processes git commit metadata. When maintainers or CI systems run the affected script, ma...

OpenClaw versions 2026.2.13 and below with the @openclaw/voice-call plugin allow unauthenticated attackers to forge Telnyx webhook events when telnyx.publicKey is not configured. This affects deployme...

This vulnerability allows attackers to bypass authentication in OpenClaw's BlueBubbles iMessage plugin by sending webhook requests from localhost addresses without valid credentials. It affects OpenCl...

OpenClaw versions 2026.1.30 and below have an authentication bypass vulnerability in Telegram webhook mode. When channels.telegram.webhookSecret is not configured, the system accepts webhook requests ...

OpenClaw personal AI assistant versions before 2026.1.20 contain a command injection vulnerability. Unauthenticated local clients can exploit the Gateway WebSocket API to inject malicious commands tha...

OpenClaw versions before 2026.1.29 contain two command injection vulnerabilities. Attackers can execute arbitrary commands on remote SSH hosts via unescaped project paths or on local machines via mali...

OpenClaw (formerly Clawdbot) versions prior to 2026.1.29 contain a command injection vulnerability in the Docker sandbox execution mechanism. Authenticated users who can control environment variables ...

OpenClaw (also known as clawdbot or Moltbot) versions before 2026.1.29 automatically establish WebSocket connections using gatewayUrl values from query strings without user consent, transmitting authe...

OpenClaw's ACP bridge accepts excessively large prompt text blocks, allowing local ACP clients to send oversized payloads that could cause resource exhaustion or denial of service. This primarily affe...

OpenClaw versions 2026.2.17 and below have a symlink vulnerability in the skill packaging script that allows local file inclusion when building .skill archives. This affects developers who package ski...

OpenClaw versions before 2026.2.15 contain a path traversal vulnerability in the skill installation process. The bug allows malicious skill packages to write files outside the intended sandbox directo...

OpenClaw session tools allowed broader session targeting than intended in shared-agent deployments, potentially exposing transcript content across peer sessions in multi-user environments. The vulnera...

OpenClaw Control UI had a stored XSS vulnerability where attacker-controlled JavaScript could execute in the Control UI origin. This affected OpenClaw versions before 2026.2.15. Attackers could craft ...

OpenClaw versions 2026.1.12 through 2026.2.12 contain a path traversal vulnerability in browser download helpers that allows authenticated attackers to write files outside the intended temporary downl...

OpenClaw personal AI assistant versions before 2026.2.14 allow authenticated attackers to read arbitrary files from the Gateway host via path traversal in the browser tool's upload function. This affe...

OpenClaw personal AI assistant versions before 2026.2.14 could expose sensitive configuration secrets to clients with read-only permissions. The vulnerability occurs when the system returns raw resolv...

OpenClaw versions before 2026.1.30 contain a path traversal vulnerability in the isValidMedia() function that allows reading arbitrary files on the system. Any user or agent can exploit this by provid...