|
271
|
8.1 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-42431
|
2026-04-30 23:06 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
272
|
7.1 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.wr…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-42429
|
2026-04-30 23:06 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
273
|
6.5 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time na…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42430
|
2026-04-30 23:05 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
274
|
7.1 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the…
New
|
CWE-353
Missing Support for Integrity Check
|
CVE-2026-42428
|
2026-04-30 23:05 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
275
|
5.3 |
MEDIUM
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. …
New
|
CWE-184
Incomplete Blacklist
|
CVE-2026-42427
|
2026-04-30 23:05 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
276
|
5.0 |
MEDIUM
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious sha…
New
|
CWE-73
External Control of File Name or Path
|
CVE-2026-42424
|
2026-04-30 23:05 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
277
|
8.8 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unpr…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-42426
|
2026-04-30 23:05 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
278
|
7.5 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeo…
New
|
CWE-636
Not Failing Securely ('Failing Open')
|
CVE-2026-42423
|
2026-04-30 23:04 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
279
|
8.8 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing to …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-42422
|
2026-04-30 23:04 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
280
|
6.5 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42420
|
2026-04-30 23:04 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
