npm CVE Archive

openclaw CVE Vulnerabilities

All known CVEs affecting openclaw. Kodem’s runtime-powered SCA reveals which are actually reachable in your application.

Known vulnerabilities
CVE
Summary
Severity
CVE-2026-53865
OpenClaw: Workspace-derived service PATH could influence trash command selection
High
CVE-2026-53858
OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime…
High
CVE-2026-53849
OpenClaw: Discord allowFrom could bind to mutable display names
High
CVE-2026-53846
OpenClaw: Workspace .env npm_execpath could influence bundled runtime…
High
CVE-2026-53853
OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns
High
CVE-2026-53844
OpenClaw: memory-wiki shared search could miss session visibility checks
Medium
CVE-2026-53856
OpenClaw: Config recovery could restore openclaw.json with broad file…
Medium
CVE-2026-53857
OpenClaw: Zalo allowFrom could bind to mutable display names
High
CVE-2026-53841
OpenClaw: Exported session HTML could keep unsafe markdown links
Medium
CVE-2026-53851
OpenClaw: Slack reaction events could ignore reaction notification settings
Medium
CVE-2026-53855
OpenClaw: Shell positional parameters could weaken strict inline-eval checks
High
CVE-2026-53859
OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently
Medium
CVE-2026-53861
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags
Medium
CVE-2026-53842
OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud…
High
CVE-2026-53866
OpenClaw: Shell inline-command parsing could miss an allowlist check
High
CVE-2026-53843
OpenClaw: Pairing-scoped device session could restore revoked node token…
High
CVE-2026-53864
OpenClaw: Host environment sanitizer missed two Node.js control variables
High
CVE-2026-53840
OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers…
High
CVE-2026-45004
OpenClaw vulnerable to arbitrary code execution via attacker-controlled…
High
CVE-2026-45005
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
Medium
CVE-2026-43570
OpenClaw contains a symlink traversal vulnerability
Medium
CVE-2026-44113
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before…
Medium
CVE-2026-44112
OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root
Medium
CVE-2026-44118
OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens
High
CVE-2026-44116
OpenClaw validates Zalo outbound photo URLs through the SSRF guard
Medium
CVE-2026-44117
OpenClaw: QQBot direct media upload skipped URL SSRF validation
Medium

Prioritize openclaw vulnerabilities

Kodem Kai can identify which of these CVEs are reachable in your dependency tree and generate targeted fix recommendations.

Get a demo →

Stop the waste.
Protect your environment with Kodem.

Get a personalized demo
Get a personalized demo