Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.2 HIGH
CVE-2026-41395 — OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3

OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attacke…

Remote | Cryptography
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.8 HIGH
CVE-2026-41394 — OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth …

OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes withou…

Remote | Authentication
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.9 MEDIUM
CVE-2026-41393 — OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance and Credential Exfiltration via…

OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint…

| Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
6.7 MEDIUM
CVE-2026-41392 — OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options

OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options li…

| Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.8 MEDIUM
CVE-2026-41391 — OpenClaw < 2026.3.31 - Environment Variable Bypass in Package Index URL Handling

OpenClaw before 2026.3.31 fails to properly sanitize PIP_INDEX_URL and UV_INDEX_URL environment variables in host execution contexts, allowing attackers to redirect Python package-index traffic. Atta…

| Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.3 HIGH
CVE-2026-41390 — OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper

OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers…

| Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
6.5 MEDIUM
CVE-2026-41388 — OpenClaw < 2026.3.31 - Configuration Rehydration via Empty-Array Revocation Handling

OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate r…

Remote | Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.5 HIGH
CVE-2026-41387 — OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitizat…

OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment…

| Injection
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
9.1 CRITICAL
CVE-2026-41386 — OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes

OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.1 HIGH
CVE-2026-41385 — OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass

OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted …

Remote | Information Disclosure
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.5 HIGH
CVE-2026-41384 — OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend

OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configur…

| Injection
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.1 HIGH
CVE-2026-41383 — OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths

OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWork…

Remote | Path Traversal
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.4 MEDIUM
CVE-2026-41382 — OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Va…

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stal…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.4 MEDIUM
CVE-2026-41381 — OpenClaw < 2026.3.31 - Access Control Bypass in Discord Voice Manager via Channel Allowli…

OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers ca…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.3 HIGH
CVE-2026-41380 — OpenClaw < 2026.3.28 - Arbitrary Execution Allowlist via Wrapper Carrier Executables

OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targ…

| Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.1 HIGH
CVE-2026-41379 — OpenClaw < 2026.3.28 - Privilege Escalation via chat.send to Admin-Class Talk Voice Config

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Talk Voice configuration persistence. Attackers w…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.8 HIGH
CVE-2026-41378 — OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted nod…

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attacker…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.1 MEDIUM
CVE-2026-41377 — OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation

OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install unt…

Remote | Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.4 MEDIUM
CVE-2026-41376 — OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation

OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root …

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.1 HIGH
CVE-2026-41375 — OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
Showing 20 of 5892 Results