|
511
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exp…
New
|
CWE-372
Incomplete Internal State Distinction
|
CVE-2026-41340
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
512
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-component…
New
|
CWE-351
Insufficient Type Distinction
|
CVE-2026-41341
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
513
|
7.3 |
HIGH
Adjacent
|
-
|
-
|
OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Att…
New
|
CWE-346
Origin Validation Error
|
CVE-2026-41342
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
514
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook e…
New
|
CWE-799
Improper Control of Interaction Frequency
|
CVE-2026-41343
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
515
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attack…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41344
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
516
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by…
New
|
CWE-522
Insufficiently Protected Credentials
|
CVE-2026-41345
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
517
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit…
New
|
CWE-799
Improper Control of Interaction Frequency
|
CVE-2026-41346
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
518
|
7.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by s…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-41347
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
519
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Disco…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41348
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
520
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to …
New
|
CWE-862
Missing Authorization
|
CVE-2026-41349
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
