|
351
|
7.5 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke s…
|
CWE-863
Incorrect Authorization
|
CVE-2026-53834
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
352
|
7.7 |
HIGH
Local
|
-
|
-
|
OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictio…
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-53833
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
353
|
7.7 |
HIGH
Local
|
-
|
-
|
OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gate…
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-53832
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
354
|
8.3 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expansion to modify command interpretation on POSIX nodes. Authenti…
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-53831
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
355
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can explo…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-53830
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
356
|
8.0 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with…
|
CWE-451
User Interface (UI) Misrepresentation of Critical Information
|
CVE-2026-53829
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
357
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in native command handling that allows authenticated senders to execute owner-only commands without proper policy enforcement. …
|
CWE-863
Incorrect Authorization
|
CVE-2026-53828
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
358
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacke…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-53827
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
359
|
4.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning …
|
CWE-668
Exposure of Resource to Wrong Sphere
|
CVE-2026-53826
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
360
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outs…
|
CWE-22
Path Traversal
|
CVE-2026-53825
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
