|
411
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-s…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-41400
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
412
|
4.2 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same mess…
New
|
CWE-706
Use of Incorrectly-Resolved Name or Reference
|
CVE-2026-41402
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
413
|
2.9 |
LOW
Local
|
-
|
-
|
OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass acce…
New
|
CWE-807
Reliance on Untrusted Inputs in a Security Decision
|
CVE-2026-41403
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
414
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation. Attackers can exploit this by decla…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41404
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
415
|
7.5 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicio…
New
|
CWE-408
Incorrect Behavior Order: Early Amplification
|
CVE-2026-41405
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
416
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread context m…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-41406
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
417
|
3.7 |
LOW
Network
|
-
|
-
|
OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attacker…
New
|
CWE-208
Information Exposure Through Timing Discrepancy
|
CVE-2026-41407
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
418
|
4.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk spa…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-41408
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
419
|
4.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist mod…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41910
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
420
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and u…
New
|
CWE-22
Path Traversal
|
CVE-2026-41911
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
