GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
Filter advisories
GitHub reviewed advisories
Unreviewed advisories
32 advisories
OpenClaw has a IPv6 multicast SSRF classifier bypass
Moderate
GHSA-h97f-6pqj-q452
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP
Moderate
GHSA-8cp7-rp8r-mg77
was published
for
openclaw
(npm)
Mar 4, 2026
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots
Moderate
GHSA-j425-whc4-4jgc
was published
for
openclaw
(npm)
Mar 9, 2026
ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation
Moderate
GHSA-4cm8-xpfv-jv6f
was published
for
zeptoclaw
(Rust)
Mar 12, 2026
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists
Moderate
GHSA-9vvh-2768-c8vp
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw's Zalouser allowlist authorization matched mutable group names by default
Moderate
GHSA-f5mf-3r52-r83w
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Feishu reaction events could bypass group authorization and mention gating
Moderate
GHSA-m69h-jm2f-2pv8
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths
Moderate
GHSA-f8r2-vg7x-gh8m
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
Moderate
CVE-2026-32045
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status
Moderate
GHSA-ppwq-6v66-5m6j
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events
Moderate
GHSA-mw7w-g3mg-xqm7
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
Moderate
CVE-2026-32896
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty
Moderate
CVE-2026-34506
was published
for
openclaw
(npm)
Mar 12, 2026
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
Moderate
CVE-2026-34505
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers
Moderate
CVE-2026-35647
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback
Moderate
CVE-2026-35654
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
Moderate
CVE-2026-35657
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing
Moderate
CVE-2026-35664
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions
Moderate
CVE-2026-35652
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting
Moderate
CVE-2026-35655
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
Moderate
CVE-2026-35661
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope
Moderate
CVE-2026-35619
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete
Moderate
CVE-2026-35637
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
Moderate
CVE-2026-35646
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence
Moderate
GHSA-f3h5-h452-vp3j
was published
for
openclaw
(npm)
Apr 17, 2026
ProTip!
Advisories are also available from the
GraphQL API