Vuln
·
Scope
Home
Packages
KEV
Critical
Insights
Jobs
Pricing
EN
中
Loading…
npm/clawdbot — 10 CVEs · VulnScope
pkg:npm/
clawdbot
10 total CVEs
CRITICAL
1
HIGH
5
MEDIUM
4
✅ Check your installed version
Check
All known vulnerabilities
CRITICAL
9.8
CVE-2026-28469
OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
from 0, <= 2026.1.24-3
HIGH
8.8
CVE-2026-25253
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
from 0, < 2026.1.29
HIGH
8.8
CVE-2026-24763
OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable
from 0, < 2026.1.29
HIGH
7.7
OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand
from 0, < 2026.1.29
HIGH
7.5
OpenClaw affected by denial of service via unbounded webhook request body buffering
from 0, <= 2026.1.24-3
HIGH
7.1
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
from 0, <= 2026.1.24-3
MEDIUM
6.5
OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
from 0, <= 2026.1.24-3
MEDIUM
6.5
OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities
from 0, < 2026.2.14
MEDIUM
5.9
OpenClaw Telegram allowlist authorization accepted mutable usernames
from 0, <= 2026.1.24-3
MEDIUM
5.5
OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks
from 0, <= 2026.1.24-3
CVE-2026-25157
CVE-2026-28478
CVE-2026-26317
CVE-2026-28452
CVE-2026-26328
CVE-2026-28480
CVE-2026-29612