Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41347 | HIGH | 7.1 | OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by … | Apr 23, 2026 |
| CVE-2026-41346 | MEDIUM | 5.3 | OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers … | Apr 23, 2026 |
| CVE-2026-41345 | MEDIUM | 5.3 | OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting … | Apr 23, 2026 |
| CVE-2026-41344 | MEDIUM | 5.4 | OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can … | Apr 23, 2026 |
| CVE-2026-41343 | MEDIUM | 5.3 | OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can … | Apr 23, 2026 |
| CVE-2026-41342 | HIGH | 7.3 | OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof … | Apr 23, 2026 |
| CVE-2026-41341 | MEDIUM | 5.4 | OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit … | Apr 23, 2026 |
| CVE-2026-41340 | MEDIUM | 6.5 | OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this … | Apr 23, 2026 |
| CVE-2026-41339 | MEDIUM | 4.3 | OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and … | Apr 23, 2026 |
| CVE-2026-41338 | MEDIUM | 5.0 | OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, … | Apr 23, 2026 |
| CVE-2026-41337 | MEDIUM | 5.3 | OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers … | Apr 23, 2026 |
| CVE-2026-41336 | HIGH | 7.8 | OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled … | Apr 23, 2026 |
| CVE-2026-41335 | MEDIUM | 5.3 | OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive … | Apr 23, 2026 |
| CVE-2026-41334 | MEDIUM | 6.5 | OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by … | Apr 23, 2026 |
| CVE-2026-41333 | LOW | 3.7 | OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit … | Apr 23, 2026 |
| CVE-2026-41332 | MEDIUM | 5.3 | OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec … | Apr 23, 2026 |
| CVE-2026-41274 | UNKNOWN | — | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input … | Apr 23, 2026 |
| CVE-2026-35431 | CRITICAL | 10.0 | Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network. | Apr 23, 2026 |
| CVE-2026-33819 | CRITICAL | 10.0 | Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network. | Apr 23, 2026 |
| CVE-2026-33102 | CRITICAL | 9.3 | Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network. | Apr 23, 2026 |
| CVE-2026-32210 | CRITICAL | 9.3 | Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network. | Apr 23, 2026 |
| CVE-2026-32172 | HIGH | 8.0 | Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network. | Apr 23, 2026 |
| CVE-2026-2708 | LOW | 3.7 | A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate … | Apr 23, 2026 |
| CVE-2026-26210 | CRITICAL | 9.8 | KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all … | Apr 23, 2026 |
| CVE-2026-26150 | HIGH | 8.6 | Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network. | Apr 23, 2026 |