|
71
|
8.0 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with…
New
|
CWE-451
User Interface (UI) Misrepresentation of Critical Information
|
CVE-2026-53829
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
72
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in native command handling that allows authenticated senders to execute owner-only commands without proper policy enforcement. …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-53828
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
73
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacke…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-53827
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
74
|
4.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning …
New
|
CWE-668
Exposure of Resource to Wrong Sphere
|
CVE-2026-53826
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
75
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outs…
New
|
CWE-22
Path Traversal
|
CVE-2026-53825
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
76
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit sta…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-53824
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
77
|
8.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name …
New
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-53823
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
78
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution. Attackers can rebuild command arguments after allowlist appr…
New
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-53822
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
79
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Con…
New
|
CWE-862
Missing Authorization
|
CVE-2026-53821
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
80
|
6.6 |
MEDIUM
Local
|
-
|
-
|
OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attac…
New
|
CWE-862
Missing Authorization
|
CVE-2026-53820
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
