AI Threat Alert

OpenClaw Vulnerabilities

pip AI Agents

136

Total CVEs

3

Critical

pip

Ecosystem

May 6, 2026

Last CVE

91%

Patch Rate

0d

Avg Time to Patch

Known Vulnerabilities (136 total, page 3 of 6)

Severity CVE ID Summary CVSS Published

MEDIUM GHSA-f3h5-h452-vp3j openclaw: insufficient authz allows agent config persistence -- Apr 17, 2026 MEDIUM GHSA-rj2p-j66c-mgqh openclaw: SSRF policy bypass in browser tab actions -- Apr 17, 2026 MEDIUM GHSA-527m-976r-jf79 openclaw: SSRF bypass in existing browser session routes -- Apr 17, 2026 HIGH GHSA-939r-rj45-g2rj openclaw: untrusted plugin auto-enabled during onboarding -- Apr 17, 2026 MEDIUM GHSA-qmwg-qprg-3j38 openclaw: CDP pivot bypasses file:// navigation guards -- Apr 17, 2026 MEDIUM GHSA-536q-mj95-h29h openclaw: SSRF bypass via browser navigation guard gap -- Apr 17, 2026 HIGH GHSA-736r-jwj6-4w23 openclaw: sandbox escape via host=node exec routing bypass -- Apr 17, 2026 HIGH GHSA-7jp6-r74r-995q openclaw: auth bypass lets write-scope callers mutate admin config -- Apr 17, 2026 HIGH GHSA-2cq5-mf3v-mx44 openclaw: exec approval bypass via opaque multi-call binaries -- Apr 17, 2026 HIGH GHSA-66r7-m7xm-v49h openclaw: path traversal exposes host files via media tags -- Apr 17, 2026 MEDIUM GHSA-jhpv-5j76-m56h OpenClaw: auth bypass leaks host files via media path -- Apr 17, 2026 MEDIUM GHSA-f7fh-qg34-x2xh openclaw: CDP SSRF enables internal host pivot -- Apr 17, 2026 HIGH GHSA-xmxx-7p24-h892 OpenClaw: stale bearer token survives SecretRef rotation -- Apr 17, 2026 HIGH GHSA-2gvc-4f3c-2855 OpenClaw: auth bypass lets DM senders run room commands -- Apr 17, 2026 CRITICAL GHSA-xh72-v6v9-mwhc OpenClaw: auth bypass enables unauthenticated command exec -- Apr 17, 2026 HIGH GHSA-mr34-9552-qr95 openclaw: path traversal leaks files and NTLM credentials -- Apr 17, 2026 MEDIUM GHSA-f934-5rqf-xx47 OpenClaw: path traversal in memory_get reads arbitrary workspace files -- Apr 17, 2026 LOW GHSA-gj9q-8w99-mp8j openclaw: TOCTOU race bypasses exec script preflight -- Apr 16, 2026 HIGH CVE-2026-35629 openclaw: SSRF in channel extensions hits internal network -- Mar 29, 2026 MEDIUM CVE-2026-35640 openclaw: unauthenticated webhook parsing enables DoS -- Mar 29, 2026 MEDIUM CVE-2026-35646 openclaw: webhook rate-limit bypass enables token brute-force -- Mar 29, 2026 MEDIUM CVE-2026-6011 OpenClaw: SSRF via web-fetch enables internal network pivot 5.6 Apr 10, 2026 MEDIUM CVE-2026-35657 openclaw: auth bypass exposes agent session history via HTTP -- Mar 29, 2026 MEDIUM CVE-2026-35651 OpenClaw: ANSI injection spoof AI agent approval prompts 4.3 Apr 10, 2026 LOW GHSA-cm8v-2vh9-cxf3 openclaw: git env var injection enables host redirect -- Apr 9, 2026

Showing 51–75 of 136

← Previous Next →

Monitor OpenClaw in your stack

Get instant alerts when new vulnerabilities affect OpenClaw. CISO analysis, ATLAS technique mappings, and compliance reports included.

Start Monitoring