Openclaw Vulnerabilities
Comprehensive security vulnerability database for Openclaw products
8
0
10
6
Severity Distribution
| Description | Vendor / Product | Exploit Status | |||
|---|---|---|---|---|---|
| CVE-2026-4040 | 4.8 | This vulnerability allows an attacker with local access to the system to potentially view sensitive information due to a flaw in how the software checks for file existence. To exploit this issue, the attacker must be able to run code on the affected version of OpenClaw, so it's important to upgrade to the latest version to fix the problem. | openclawopenclaw | Exploit Available | 26 days agoMar 12, 2026 |
| CVE-2026-4039 | 5.3 | An attacker can remotely inject malicious code into the OpenClaw application due to a flaw in its Skill Env Handler. To exploit this vulnerability, the attacker needs to manipulate specific configurations, making it crucial to upgrade to the latest version to protect against this risk. | openclawopenclaw | Exploit Available | 26 days agoMar 12, 2026 |
| CVE-2026-32063 | 6.9 | An attacker can exploit a vulnerability in OpenClaw to inject and execute arbitrary commands with the same permissions as the OpenClaw service user, potentially taking control of the system. This requires the attacker to manipulate specific environment variables and trigger a service installation or restart. | openclawopenclaw | Exploit Available | 27 days agoMar 11, 2026 |
| CVE-2026-32061 | 6.7 | This vulnerability allows an attacker to read sensitive files on the server, such as API keys and credentials, by manipulating file paths in the OpenClaw application. To exploit this, the attacker must have the ability to modify configuration settings within OpenClaw. | openclawopenclaw | Theoretical | 27 days agoMar 11, 2026 |
| CVE-2026-27576 | 4.8 | This vulnerability allows an attacker to crash the OpenClaw AI assistant by sending it excessively large text inputs, which can overwhelm the system. It mainly affects local clients, like those integrated into development environments, and has been fixed in the latest version. | openclawopenclaw | Exploit Available | about 2 months agoFeb 21, 2026 |
| CVE-2026-27488 | 6.9 | This vulnerability allows an attacker to send requests to private or internal endpoints of the OpenClaw AI assistant, potentially exposing sensitive information. It occurs in specific versions where the system does not properly check the destination of webhook requests, meaning attackers could exploit this without needing special access or credentials. | openclawopenclaw | Exploit Available | about 2 months agoFeb 21, 2026 |
| CVE-2026-27486 | 4.3 | This vulnerability allows an attacker to terminate unrelated processes on a shared host by exploiting the OpenClaw CLI's cleanup feature, which doesn't check if the processes belong to the current user. To take advantage of this, the attacker must have access to the OpenClaw CLI and be able to craft a command that matches the target processes. | openclawopenclaw | Exploit Available | about 2 months agoFeb 21, 2026 |
| CVE-2026-27485 | 4.6 | This vulnerability allows an attacker to trick the OpenClaw packaging script into including sensitive files from the user's system in a generated skill archive. However, the attacker must have control over the local skill directory and the script must be run on the user's machine for the exploit to work. | openclawopenclaw | Exploit Available | about 2 months agoFeb 21, 2026 |
About Openclaw Security
This page tracks all publicly disclosed security vulnerabilities (CVEs) affecting Openclaw products. Our database is updated in real-time from the National Vulnerability Database (NVD) and enriched with exploit information from GitHub and other security research sources.
Each CVE listing includes CVSS severity scores, exploit availability status, AI-powered vulnerability summaries, and links to official patches and security advisories.