|
411
|
7.3 |
HIGH
Adjacent
|
-
|
-
|
OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Att…
New
|
CWE-346
Origin Validation Error
|
CVE-2026-41342
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
412
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook e…
New
|
CWE-799
Improper Control of Interaction Frequency
|
CVE-2026-41343
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
413
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attack…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41344
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
414
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by…
New
|
CWE-522
Insufficiently Protected Credentials
|
CVE-2026-41345
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
415
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit…
New
|
CWE-799
Improper Control of Interaction Frequency
|
CVE-2026-41346
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
416
|
7.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by s…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-41347
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
417
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Disco…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41348
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
418
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to …
New
|
CWE-862
Missing Authorization
|
CVE-2026-41349
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
419
|
4.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invoc…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41350
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
420
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-enc…
New
|
CWE-294
Authentication Bypass by Capture-replay
|
CVE-2026-41351
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
