|
701
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass …
New
|
CWE-862
Missing Authorization
|
CVE-2026-43572
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
702
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can expl…
New
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-43571
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
703
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Atta…
New
|
CWE-61
UNIX Symbolic Link (Symlink) Following
|
CVE-2026-43570
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
704
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shado…
New
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-43569
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
705
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gat…
New
|
CWE-862
Missing Authorization
|
CVE-2026-43568
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
706
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifyin…
New
|
CWE-862
Missing Authorization
|
CVE-2026-43567
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
707
|
9.1 |
CRITICAL
Network
|
-
|
-
|
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can expl…
New
|
CWE-184
Incomplete Blacklist
|
CVE-2026-43566
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
708
|
6.8 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization c…
New
|
CWE-266
Incorrect Privilege Assignment
|
CVE-2026-43535
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
709
|
9.1 |
CRITICAL
Network
|
-
|
-
|
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate …
New
|
CWE-345
Insufficient Verification of Data Authenticity
|
CVE-2026-43534
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
710
|
8.6 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers …
New
|
CWE-23
Relative Path Traversal
|
CVE-2026-43533
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
