GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
30 advisories
OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders
Moderate
CVE-2026-41331
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls
Moderate
CVE-2026-41330
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation
Critical
CVE-2026-41329
was published
for
openclaw
(npm)
Apr 2, 2026
OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection
Moderate
CVE-2026-41297
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile
Critical
CVE-2026-41296
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Tlon media downloads can bypass core safety limits and exhaust disk
Moderate
GHSA-4g5x-2jfc-xm98
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels
Moderate
GHSA-h2v7-xc88-xx8c
was published
for
openclaw
(npm)
Apr 7, 2026
OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation
Critical
CVE-2026-33579
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication
Moderate
CVE-2026-33580
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw affected by SSRF via unguarded image download in fal provider
Low
CVE-2026-34504
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
Moderate
CVE-2026-33577
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw: Zalo channel downloads media before sender authorization
Moderate
CVE-2026-33576
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw's message tool media parameter bypasses tool policy filesystem isolation
High
CVE-2026-33581
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
High
CVE-2026-34503
was published
for
openclaw
(npm)
Mar 31, 2026
OpenClaw: Google Chat and Zalouser group sender allowlist bypass via policy downgrade
Moderate
CVE-2026-33578
was published
for
openclaw
(npm)
Apr 1, 2026
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses
Moderate
GHSA-rm5c-4rmf-vvhw
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch
High
GHSA-gjm7-hw8f-73rq
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS
Moderate
GHSA-w85g-3h6x-4xh2
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md
High
GHSA-xj9w-5r6q-x6v4
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
Low
GHSA-37v6-fxx8-xjmx
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw runs Discord audio preflight transcription before member authorization
Moderate
GHSA-hhff-fj5f-qg48
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
Moderate
GHSA-mhr7-2xmv-4c4q
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion
Moderate
GHSA-p464-m8x6-vhv8
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: Media download follows cross-origin redirects with Authorization headers intact
Moderate
GHSA-68v4-hmwv-f43h
was published
for
openclaw
(npm)
Apr 3, 2026
OpenClaw: OpenShell Mirror Sync — Sandbox Escape via Unrestricted File Sync + Symlink Traversal
High
GHSA-cwf8-44x6-32c2
was published
for
openclaw
(npm)
Apr 3, 2026
ProTip!
Advisories are also available from the
GraphQL API