Openclaw Vulnerabilities

This vulnerability allows an attacker with local access to the system to potentially view sensitive information due to a flaw in how the software checks for file existence. To exploit this issue, the attacker must be able to run code on the affected version of OpenClaw, so it's important to upgrade to the latest version to fix the problem.

An attacker can remotely inject malicious code into the OpenClaw application due to a flaw in its Skill Env Handler. To exploit this vulnerability, the attacker needs to manipulate specific configurations, making it crucial to upgrade to the latest version to protect against this risk.

An attacker can exploit a vulnerability in OpenClaw to inject and execute arbitrary commands with the same permissions as the OpenClaw service user, potentially taking control of the system. This requires the attacker to manipulate specific environment variables and trigger a service installation or restart.

This vulnerability allows an attacker to read sensitive files on the server, such as API keys and credentials, by manipulating file paths in the OpenClaw application. To exploit this, the attacker must have the ability to modify configuration settings within OpenClaw.

This vulnerability allows attackers to write or delete files on the server outside of the designated workspace, which can lead to unauthorized changes or data loss. It occurs when the apply_patch feature is enabled without proper security measures in place, allowing attackers to manipulate file paths to escape the intended directory.

This vulnerability allows attackers to run unauthorized sort commands on OpenClaw systems by using shortened versions of command options, effectively bypassing security checks meant to prevent such actions. It requires the system to be in allowlist mode, where only approved commands should be executed, but the flaw lets attackers sneak around these restrictions.

This vulnerability allows an attacker to crash the OpenClaw AI assistant by sending it excessively large text inputs, which can overwhelm the system. It mainly affects local clients, like those integrated into development environments, and has been fixed in the latest version.

This vulnerability allows an attacker to send requests to private or internal endpoints of the OpenClaw AI assistant, potentially exposing sensitive information. It occurs in specific versions where the system does not properly check the destination of webhook requests, meaning attackers could exploit this without needing special access or credentials.

This vulnerability allows an attacker to execute arbitrary commands on a user's macOS system by manipulating OAuth tokens used in the OpenClaw personal AI assistant. It affects versions 2026.2.13 and earlier, and requires the attacker to have control over the OAuth token to exploit the flaw.

This vulnerability allows an attacker to terminate unrelated processes on a shared host by exploiting the OpenClaw CLI's cleanup feature, which doesn't check if the processes belong to the current user. To take advantage of this, the attacker must have access to the OpenClaw CLI and be able to craft a command that matches the target processes.

This vulnerability allows an attacker to trick the OpenClaw packaging script into including sensitive files from the user's system in a generated skill archive. However, the attacker must have control over the local skill directory and the script must be run on the user's machine for the exploit to work.

An attacker can misuse a personal AI assistant to perform moderation actions like kicking or banning users from a Discord server by pretending to be someone else, as long as the bot has the right permissions and moderation features are enabled. This vulnerability affects versions up to 2026.2.17, and it has been fixed in the latest update.