| CVE ID | 标题 | 严重程度 | 情报来源 | |||
|---|---|---|---|---|---|---|
| OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands. | CRITICAL | 9.2v4.0 | 4.60 | — | 2026. 05. 06. | |
| OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access. |
CRITICAL |
| 9.2v4.0 |
4.60 |
| — |
| 2026. 05. 06. |
| CVE-2026-41329 | OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation. | CRITICAL | 9.0v4.0 | 4.50 | KISA | 2026. 04. 21. |
| CVE-2026-41296 | OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files. | HIGH | 8.8v4.0 | 4.40 | — | 2026. 04. 21. |
| CVE-2026-43584 | OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity. | HIGH | 8.7v4.0 | 4.35 | — | 2026. 05. 06. |
| CVE-2026-41303 | OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending host execution requests. | HIGH | 8.7v4.0 | 4.35 | — | 2026. 04. 21. |
| CVE-2026-44118 | OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata. | HIGH | 8.5v4.0 | 4.25 | — | 2026. 05. 06. |
| CVE-2026-44114 | OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows. | HIGH | 8.5v4.0 | 4.25 | — | 2026. 05. 06. |
| CVE-2026-41295 | OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process code execution before the plugin is explicitly trusted. | HIGH | 8.5v4.0 | 4.25 | — | 2026. 04. 21. |
| CVE-2026-41294 | OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup. | HIGH | 8.5v4.0 | 4.25 | — | 2026. 04. 21. |
| CVE-2026-44112 | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root. | HIGH | 8.4v4.0 | 4.20 | — | 2026. 05. 06. |
| CVE-2026-44113 | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents. | HIGH | 8.3v4.0 | 4.15 | — | 2026. 05. 06. |
| CVE-2026-42437 | OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the voice-call realtime WebSocket path. | HIGH | 8.2v4.0 | 4.10 | — | 2026. 05. 05. |
| CVE-2026-41299 | OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket handshake rather than verified authorization state. Authenticated operator clients can spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge by manipulating client metadata during connection. | HIGH | 7.1v4.0 | 3.55 | — | 2026. 04. 21. |
| CVE-2026-44116 | OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources. | MEDIUM | 6.9v4.0 | 3.45 | — | 2026. 05. 06. |
| CVE-2026-41331 | OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit insufficient allowlist enforcement to cause resource or billing consumption by initiating audio preflight operations before authorization checks are applied. | MEDIUM | 6.9v4.0 | 3.45 | — | 2026. 04. 21. |
| CVE-2026-41301 | OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature validation. An unauthenticated remote attacker can send forged direct messages to create pending pairing entries and trigger pairing-reply attempts, consuming shared pairing capacity and triggering bounded relay and logging work on the Nostr channel. | MEDIUM | 6.9v4.0 | 3.45 | — | 2026. 04. 21. |
| CVE-2026-41300 | OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having their discovered URL survive the trust decline process into manual prompts requiring operator acceptance. | MEDIUM | 6.9v4.0 | 3.45 | — | 2026. 04. 21. |
| CVE-2026-44117 | OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests. | MEDIUM | 6.3v4.0 | 3.15 | — | 2026. 05. 06. |
| CVE-2026-43583 | OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart or recovery. | MEDIUM | 6.0v4.0 | 3.00 | — | 2026. 05. 06. |