Openclaw
AI Threat Alert tracks 233 known AI/ML vulnerabilities affecting Openclaw products — each enriched with CVSS severity, EPSS exploit probability, patch status, and CISO-grade analysis. Browse every Openclaw CVE below, sorted by severity and recency.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-35631 | OpenClaw: auth bypass on ACP mutating commands | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35635 | OpenClaw: webhook route hijack bypasses DM access controls | OpenClaw | 4.8 |
| MEDIUM | CVE-2026-35633 | OpenClaw: unbounded memory alloc DoS via crafted HTTP errors | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-35636 | OpenClaw: session isolation bypass exposes parent sessions | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35644 | OpenClaw: credential exposure via gateway channel URLs | OpenClaw | 6.5 |
| HIGH | CVE-2026-35639 | OpenClaw: scope bypass enables admin RCE via device pairing | OpenClaw | 8.8 |
| HIGH | CVE-2026-35645 | OpenClaw: privilege escalation via synthetic admin session scope | OpenClaw | 8.1 |
| MEDIUM | CVE-2026-35642 | OpenClaw: auth bypass injects restricted agent events | OpenClaw | 4.3 |
| HIGH | CVE-2026-35643 | OpenClaw: WebView bridge injection enables Android RCE | OpenClaw | 8.8 |
| HIGH | CVE-2026-35641 | OpenClaw: RCE via .npmrc override in plugin install | OpenClaw | 7.8 |
| LOW | CVE-2026-35648 | OpenClaw: policy bypass via stale queued node actions | OpenClaw | 3.7 |
| HIGH | CVE-2026-35653 | OpenClaw: auth bypass enables agent profile destruction | OpenClaw | 8.1 |
| MEDIUM | CVE-2026-35652 | OpenClaw: auth bypass enables unauthorized action execution | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35654 | OpenClaw: auth bypass on Teams feedback invoke | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-35649 | OpenClaw: access control bypass via allowlist reconciliation | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35647 | OpenClaw: access control bypass allows DM policy evasion | OpenClaw | 5.3 |
| HIGH | CVE-2026-35650 | OpenClaw: env var override bypass enables code execution | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-35658 | OpenClaw: sandbox bypass exposes host filesystem reads | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-35659 | OpenClaw: DNS-SD metadata hijacks CLI routing | OpenClaw | 4.6 |
| MEDIUM | CVE-2026-35655 | OpenClaw: identity spoofing bypasses agent safety checks | OpenClaw | 5.7 |
Frequently asked questions
How many known vulnerabilities affect Openclaw?
233 AI/ML CVEs affecting Openclaw products are tracked, sourced from NVD and GitHub Advisory.
What Openclaw products are affected?
The CVEs below map to the Openclaw AI/ML packages and tools tracked by AI Threat Alert; open any CVE to see the affected components and versions.
Where does the Openclaw vulnerability data come from?
Data is sourced from NVD and GitHub Advisory, then enriched with CVSS severity, EPSS exploit probability, and patch status for each CVE.
How can I monitor Openclaw for new vulnerabilities?
AI Threat Alert tracks Openclaw continuously; a Pro subscription adds breaking alerts when new CVEs affecting Openclaw are published.
How do I assess Openclaw's security exposure?
Each CVE below carries CVSS severity and exploitation signals, so you can review the highest-severity Openclaw issues first and judge the exposure for your stack.