openclaw security advisories
9 threat alerts tracking vulnerabilities and security advisories that affect openclaw products.
Vulnios monitors openclaw CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent openclaw security news in one place, or click into an individual alert for full detail.
Critical Vulnerability: CVE-2026-43578 — openclaw — openclaw
OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can
criticalCVE-2026-43578Critical Vulnerability: CVE-2026-43581 — openclaw — openclaw
OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protoc
criticalCVE-2026-43581Critical Vulnerability: CVE-2026-44109 — openclaw — openclaw
OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKe
criticalCVE-2026-44109Critical Vulnerability: CVE-2026-43575 — openclaw — openclaw
OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access
criticalCVE-2026-43575Critical Vulnerability: CVE-2026-43566 — openclaw — openclaw
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can explo
criticalCVE-2026-43566Critical Vulnerability: CVE-2026-43534 — openclaw — openclaw
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate u
criticalCVE-2026-43534Critical Vulnerability: CVE-2026-41386 — openclaw — openclaw
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during
criticalCVE-2026-41386Critical Vulnerability: CVE-2026-41329 — openclaw — openclaw
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can ex
criticalCVE-2026-41329Critical Vulnerability: CVE-2026-44112 — openclaw — openclaw
OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers
criticalCVE-2026-44112
Track openclaw exposure across your environment
Vulnios automatically cross-references your asset inventory against new openclaw CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.
Start a free scan