Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

31 advisories

Loading
OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes Moderate
CVE-2026-32045 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) Moderate
CVE-2026-32896 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
OpenClaw has a IPv6 multicast SSRF classifier bypass Moderate
GHSA-h97f-6pqj-q452 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP Moderate
GHSA-8cp7-rp8r-mg77 was published for openclaw (npm) Mar 4, 2026
zpbrent Credited to zpbrent
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots Moderate
GHSA-j425-whc4-4jgc was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey, SnailSploit, and zpbrent SnailSploit SnailSploit
zpbrent zpbrent
zpbrent Credited to zpbrent
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists Moderate
GHSA-9vvh-2768-c8vp was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw's Zalouser allowlist authorization matched mutable group names by default Moderate
GHSA-f5mf-3r52-r83w was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu reaction events could bypass group authorization and mention gating Moderate
GHSA-m69h-jm2f-2pv8 was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths Moderate
GHSA-f8r2-vg7x-gh8m was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation Moderate
CVE-2026-34505 was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status Moderate
GHSA-ppwq-6v66-5m6j was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions Moderate
CVE-2026-35652 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete Moderate
CVE-2026-35637 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting Moderate
CVE-2026-35655 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing Moderate
CVE-2026-35623 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers Moderate
CVE-2026-35647 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events Moderate
GHSA-mw7w-g3mg-xqm7 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
zpbrent Credited to zpbrent
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope Moderate
CVE-2026-35657 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing Moderate
CVE-2026-35664 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` Moderate
CVE-2026-35645 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
zpbrent Credited to zpbrent
zpbrent Credited to zpbrent
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State Moderate
CVE-2026-35661 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
ProTip! Advisories are also available from the GraphQL API