|
391
|
7.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Talk Voice configuration persistence. Attackers w…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41379
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
392
|
7.3 |
HIGH
Local
|
-
|
-
|
OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targ…
New
|
CWE-807
Reliance on Untrusted Inputs in a Security Decision
|
CVE-2026-41380
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
393
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers ca…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41381
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
394
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stal…
New
|
CWE-862
Missing Authorization
|
CVE-2026-41382
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
395
|
8.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWork…
New
|
CWE-22
Path Traversal
|
CVE-2026-41383
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
396
|
7.8 |
HIGH
Local
|
-
|
-
|
OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configur…
New
|
CWE-15
External Control of System or Configuration Setting
|
CVE-2026-41384
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
397
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted …
New
|
CWE-312
Cleartext Storage of Sensitive Information
|
CVE-2026-41385
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
398
|
9.1 |
CRITICAL
Network
|
-
|
-
|
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during…
New
|
CWE-648
Incorrect Use of Privileged APIs
|
CVE-2026-41386
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
399
|
7.8 |
HIGH
Local
|
-
|
-
|
OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment…
New
|
CWE-183
Permissive List of Allowed Inputs
|
CVE-2026-41387
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
400
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate r…
New
|
CWE-372
Incomplete Internal State Distinction
|
CVE-2026-41388
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
