GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
32 advisories
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`
Moderate
CVE-2026-41344
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands
Moderate
CVE-2026-43568
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send
Moderate
CVE-2026-41379
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup
Moderate
CVE-2026-41295
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing
Moderate
CVE-2026-35623
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret
Moderate
CVE-2026-35628
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
Moderate
CVE-2026-35645
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence
Moderate
GHSA-f3h5-h452-vp3j
was published
for
openclaw
(npm)
Apr 17, 2026
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
Moderate
CVE-2026-35646
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete
Moderate
CVE-2026-35637
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope
Moderate
CVE-2026-35619
was published
for
openclaw
(npm)
Mar 30, 2026
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
Moderate
CVE-2026-35661
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting
Moderate
CVE-2026-35655
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions
Moderate
CVE-2026-35652
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing
Moderate
CVE-2026-35664
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
Moderate
CVE-2026-35657
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback
Moderate
CVE-2026-35654
was published
for
openclaw
(npm)
Mar 29, 2026
OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers
Moderate
CVE-2026-35647
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation
Moderate
CVE-2026-34505
was published
for
openclaw
(npm)
Mar 13, 2026
OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty
Moderate
CVE-2026-34506
was published
for
openclaw
(npm)
Mar 12, 2026
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
Moderate
CVE-2026-32896
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events
Moderate
GHSA-mw7w-g3mg-xqm7
was published
for
openclaw
(npm)
Mar 27, 2026
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status
Moderate
GHSA-ppwq-6v66-5m6j
was published
for
openclaw
(npm)
Mar 26, 2026
OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
Moderate
CVE-2026-32045
was published
for
openclaw
(npm)
Mar 3, 2026
OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths
Moderate
GHSA-f8r2-vg7x-gh8m
was published
for
openclaw
(npm)
Mar 13, 2026
ProTip!
Advisories are also available from the
GraphQL API