OpenClaw CVE Tracker
Living reference of all OpenClaw CVEs with severity scores, affected versions, and remediation steps.
OpenClaw CVE Tracker
This is a living reference of all known OpenClaw CVEs. Last updated: March 2026.
If you are running any OpenClaw version prior to v2026.2.26, you are vulnerable to at least one critical CVE. Update immediately.
CVE-2026-25253 -- Token Exfiltration / One-Click RCE#
| Field | Value | |-------|-------| | CVSS Score | 8.8 (High) | | Affected Versions | All versions prior to 2026.1.29 | | Fixed In | v2026.1.29 (initial), v2026.2.25 (complete) | | Attack Vector | Network (one click) | | Exploited in Wild | Yes |
What happened: The Control UI trusted the gatewayUrl query parameter without validation and auto-connected on page load. An attacker could craft a malicious link that, when clicked by an OpenClaw user, would exfiltrate the Gateway authentication token to an attacker-controlled server.
Impact: Full gateway compromise. The attacker could modify configuration, invoke privileged actions, register malicious scripts as trusted, and gain complete control of the victim's machine.
Key details:
- OpenClaw incorrectly assumed localhost connections could be implicitly trusted
- JavaScript on an attacker-controlled webpage could silently open a WebSocket to the Gateway
- No rate limits or failure thresholds for incorrect passwords -- brute-force attacks succeeded without alerts
- Exploitable even on localhost-only deployments
Remediation: Update to v2026.2.25 or later. If you cannot update immediately, disable the Control UI web interface entirely.
CVE-2026-24763 and CVE-2026-25157 -- Command Injection#
| Field | Value | |-------|-------| | CVSS Score | 8.1-8.5 (High) | | Affected Versions | Versions prior to 2026.2.0 | | Fixed In | v2026.2.0 | | Attack Vector | Network |
What happened: Two command injection vulnerabilities allowed attackers to execute arbitrary commands through crafted inputs that bypassed input sanitization.
Remediation: Update to v2026.2.0 or later.
CVE-2026-28466 -- Approval Field Bypass#
| Field | Value | |-------|-------| | CVSS Score | 7.5 (High) | | Affected Versions | Versions prior to 2026.2.14 | | Fixed In | v2026.2.14 | | Attack Vector | Network |
What happened: The Gateway failed to sanitize internal approval fields in node.invoke parameters. This allowed attackers to bypass the approval mechanism and execute actions without user consent.
Impact: Particularly dangerous for CI/CD environments or connected development workstations with Gateway access.
Remediation: Update to v2026.2.14 or later.
CVE-2026-28453 -- Path Traversal via TAR Extraction#
| Field | Value | |-------|-------| | CVSS Score | 7.3 (High) | | Affected Versions | Versions prior to 2026.2.14 | | Fixed In | v2026.2.14 | | Attack Vector | Local/Network |
What happened: OpenClaw failed to validate TAR archive entry paths during skill extraction, allowing path traversal sequences to write files outside the intended directory.
Impact: Arbitrary file write on the host system. A malicious skill package could overwrite system files or plant backdoors.
Remediation: Update to v2026.2.14 or later.
Moderate CVEs#
CVE-2026-28478 -- Denial of Service (Webhook Handlers)#
| Field | Value | |-------|-------| | CVSS Score | 5.3 (Medium) | | Affected Versions | Versions prior to 2026.2.13 | | Fixed In | v2026.2.13 |
What happened: Webhook handlers buffered request bodies without strict byte or time limits, allowing an attacker to send oversized payloads and crash the Gateway.
CVE-2026-28479 -- SHA-1 Sandbox Cache Collision#
| Field | Value | |-------|-------| | CVSS Score | 5.1 (Medium) | | Affected Versions | Versions prior to 2026.2.15 | | Fixed In | v2026.2.15 |
What happened: OpenClaw used SHA-1 (deprecated, collision-vulnerable) to hash sandbox identifier cache keys. An attacker could craft inputs forcing cache key collisions, potentially enabling cross-sandbox leakage or privilege escalation.
CVE-2026-25475 -- Related Command Injection#
| Field | Value | |-------|-------| | CVSS Score | 7.2 (High) | | Affected Versions | Versions prior to 2026.2.0 | | Fixed In | v2026.2.0 |
Additional command injection vector related to CVE-2026-24763.
Version Safety Matrix#
| Version | Safety Status | |---------|---------------| | < 2026.1.29 | CRITICAL -- One-click RCE vulnerability | | 2026.1.29 - 2026.1.x | HIGH RISK -- Multiple unpatched CVEs | | 2026.2.0 - 2026.2.12 | ELEVATED -- Command injection patched, other issues remain | | 2026.2.13 - 2026.2.24 | MODERATE -- DoS and cache collision patched | | 2026.2.25+ | CURRENT MINIMUM -- Token exfiltration fully patched | | 2026.2.26+ | RECOMMENDED -- All known CVEs patched |
How to Check Your Version#
openclaw --version openclaw security audit
Reporting New Vulnerabilities#
OpenClaw does not currently have a formal bug bounty program or dedicated security team. Report vulnerabilities via GitHub Security Advisories on the openclaw/openclaw repository.
Next Steps#
- Hardening Guide -- Secure your deployment beyond just patching
- Supply Chain Safety -- Protect against malicious skills