|
121
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attack…
New
|
CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
|
CVE-2026-43528
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
122
|
7.7 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to…
New
|
CWE-918
CWE-1188
Server-Side Request Forgery (SSRF)
Insecure Default Initialization of Resource
|
CVE-2026-43527
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
123
|
8.2 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by provid…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-43526
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
124
|
8.5 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy pr…
New
|
CWE-862
Missing Authorization
|
CVE-2026-42439
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
125
|
7.7 |
HIGH
Network
|
-
|
-
|
OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers wi…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-42438
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
126
|
7.5 |
HIGH
Network
|
-
|
-
|
OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attacke…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42437
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
127
|
7.7 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigatio…
New
|
CWE-862
Missing Authorization
|
CVE-2026-42436
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
128
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attack…
New
|
CWE-184
Incomplete Blacklist
|
CVE-2026-42435
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
129
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-42434
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
130
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can…
New
|
CWE-862
Missing Authorization
|
CVE-2026-42433
|
2026-05-5 21:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
