|
191
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke a…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-53807
|
2026-06-13 00:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
192
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuratio…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-53808
|
2026-06-13 00:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
193
|
3.8 |
LOW
Local
|
-
|
-
|
OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identit…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-53809
|
2026-06-13 00:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator …
New
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-53810
|
2026-06-13 00:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata…
New
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-53811
|
2026-06-13 00:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196
|
7.7 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act in…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-53812
|
2026-06-13 00:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
197
|
7.8 |
HIGH
Local
|
-
|
-
|
OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected wor…
New
|
CWE-427
Uncontrolled Search Path Element
|
CVE-2026-53813
|
2026-06-13 00:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
198
|
8.3 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Atta…
New
|
CWE-266
Incorrect Privilege Assignment
|
CVE-2026-53814
|
2026-06-13 00:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
199
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intend…
New
|
CWE-862
Missing Authorization
|
CVE-2026-53815
|
2026-06-13 00:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
200
|
7.2 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization.…
New
|
CWE-862
Missing Authorization
|
CVE-2026-53816
|
2026-06-13 00:58 |
2026-06-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
