Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-28473 — OpenClaw < 2026.2.2 - Authorization Bypass via /approve Chat Command

OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat comma…

Remote | Authorization
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
9.8 CRITICAL
CVE-2026-28472 — OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake

OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated.…

Remote | Authentication
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
8.4 HIGH
CVE-2026-28471 — OpenClaw 2026.1.14-1 < 2026.2.2 - Allowlist Bypass via displayName and Cross-Homeserver l…

OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender…

| Authorization
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
9.8 CRITICAL
CVE-2026-28470 — OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes

OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vulnerability that allows attackers to execute arbitrary commands by injecting command substitution sy…

Remote | Injection
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
9.8 CRITICAL
CVE-2026-28469 — OpenClaw < 2026.2.14 - Cross-Account Policy Context Misrouting via Shared Webhook Path Am…

OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets sha…

Remote | Misconfiguration
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
7.8 HIGH
CVE-2026-28468 — OpenClaw 2026.1.29-beta.1 < 2026.2.14 - Authentication Bypass in Sandbox Browser Bridge S…

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing loca…

| Authentication
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
5.3 MEDIUM
CVE-2026-28467 — OpenClaw < 2026.2.2 - SSRF via Attachment Media URL Hydration

OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers w…

Remote | Server-Side Request Forgery
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
8.8 HIGH
CVE-2026-28466 — OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass

OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass …

Remote | Injection
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
7.5 HIGH
CVE-2026-28465 — OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrust…

Remote | Authentication
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
9.8 CRITICAL
CVE-2026-28464 — OpenClaw < 2026.2.12 - Timing Attack in Hooks Token Authentication

OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network a…

Remote | Cryptography
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
8.4 HIGH
CVE-2026-28463 — OpenClaw < 2026.2.14 - Arbitrary File Read via Shell Expansion in Safe Bins Allowlist

OpenClaw exec-approvals allowlist validation checks pre-expansion argv tokens but execution uses real shell expansion, allowing safe bins like head, tail, or grep to read arbitrary local files via gl…

| Path Traversal
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
7.5 HIGH
CVE-2026-28462 — OpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output Paths

OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining w…

Remote | Path Traversal
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
6.5 MEDIUM
CVE-2026-28459 — OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path

OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. At…

Remote | Path Traversal
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
7.5 HIGH
CVE-2026-28458 — OpenClaw 2026.1.20 < 2026.2.1 - Missing Authentication in Browser Relay /cdp WebSocket En…

OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authenticatio…

Remote | Authentication
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
7.5 HIGH
CVE-2026-28457 — OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills…

Remote | Path Traversal
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
8.4 HIGH
CVE-2026-28456 — OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Hand…

OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), …

| Misconfiguration
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
9.8 CRITICAL
CVE-2026-28454 — OpenClaw < 2026.2.2 - Authorization Bypass via Unauthenticated Telegram Webhook

OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacke…

Remote | Authentication
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
7.5 HIGH
CVE-2026-28453 — OpenClaw < 2026.2.14 - Zip Slip Path Traversal in TAR Archive Extraction

OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft m…

Remote | Path Traversal
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
7.5 HIGH
CVE-2026-28452 — OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction in extractArchi…

OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and d…

Remote | Denial of Service
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
5.3 MEDIUM
CVE-2026-28451 — OpenClaw < 2026.2.14 - SSRF via Feishu Extension Media Fetching

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections…

Remote | Server-Side Request Forgery
Mar 05, 2026 Mar 05, 2026
Mar 05, 2026
Mar 05, 2026
Showing 20 of 5204 Results