|
1891
|
5.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender a…
|
CWE-288
Authentication Bypass Using an Alternate Path or Channel
|
CVE-2026-35654
|
2026-04-14 06:06 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1892
|
8.1 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypa…
|
CWE-863
Incorrect Authorization
|
CVE-2026-35653
|
2026-04-14 06:06 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1893
|
9.1 |
CRITICAL
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender a…
|
CWE-696
Incorrect Behavior Order
|
CVE-2026-35652
|
2026-04-14 06:06 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1894
|
8.8 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted sco…
|
CWE-648
Incorrect Use of Privileged APIs
|
CVE-2026-35669
|
2026-04-14 06:06 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1895
|
8.1 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable nu…
|
CWE-807
Reliance on Untrusted Inputs in a Security Decision
|
CVE-2026-35670
|
2026-04-14 06:06 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1896
|
4.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can c…
|
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
|
CVE-2026-35651
|
2026-04-14 06:05 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1897
|
8.8 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.22 contains an environment variable override handling vulnerability that allows attackers to bypass the shared host environment policy through inconsistent sanitization paths. …
|
CWE-15
External Control of System or Configuration Setting
|
CVE-2026-35650
|
2026-04-14 05:46 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1898
|
6.5 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability trea…
|
CWE-183
Permissive List of Allowed Inputs
|
CVE-2026-35649
|
2026-04-14 05:46 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1899
|
5.9 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or…
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-35648
|
2026-04-14 05:46 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1900
|
5.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users out…
|
CWE-288
Authentication Bypass Using an Alternate Path or Channel
|
CVE-2026-35647
|
2026-04-14 05:45 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
