|
421
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials …
New
|
CWE-862
Missing Authorization
|
CVE-2026-41352
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
422
|
8.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and…
New
|
CWE-472
External Control of Assumed-Immutable Web Parameter
|
CVE-2026-41353
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
423
|
3.7 |
LOW
Network
|
-
|
-
|
OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers ca…
New
|
CWE-706
Use of Incorrectly-Resolved Name or Reference
|
CVE-2026-41354
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
424
|
7.3 |
HIGH
Local
|
-
|
-
|
OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute …
New
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-41355
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
425
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-41356
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
426
|
3.3 |
LOW
Local
|
-
|
-
|
OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leve…
New
|
CWE-214
Invocation of Process Using Visible Sensitive Information
|
CVE-2026-41357
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
427
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through …
New
|
CWE-346
Origin Validation Error
|
CVE-2026-41358
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
428
|
7.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence setti…
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-41359
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
429
|
6.7 |
MEDIUM
Local
|
-
|
-
|
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scri…
New
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-41360
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
430
|
7.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable …
New
|
CWE-184
Incomplete Blacklist
|
CVE-2026-41361
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
