Security Advisories
A list of vulnerabilities (CVE / GHSA) publicly disclosed by Tencent Zhuque Lab. View as JSONopen_in_new
bug_report
Vulnerabilities
67
deployed_code
Products
21
leaderboard
Severity Breakdown
-
open_in_newHigh CVE-2026-42427 CWE-78/CWE-184
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newMedium CVE-2026-42422 CWE-863
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newMedium CVE-2026-42431 CWE-863
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newMedium CVE-2026-41916 CWE-613
OpenClaw: resolvedAuth closure becomes stale after config reload
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newMedium CVE-2026-42421 CWE-613
OpenClaw: Existing WS sessions survive shared gateway token rotation
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newMedium CVE-2026-42426 CWE-269/CWE-863
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newMedium CVE-2026-42428 CWE-353
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newLow CVE-2026-41915 CWE-78/CWE-184
OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newMedium GHSA-846p-hgpv-vphc CWE-22
OpenClaw: QQ Bot structured payloads could read arbitrary local files
deployed_code Affected: openclaw <= 2026.4.1 calendar_today Published: April 07, 2026 -
open_in_newMedium CVE-2026-41407 CWE-208
OpenClaw: Shared-secret comparison call sites leaked length information through timing
deployed_code Affected: openclaw <= 2026.4.1 calendar_today Published: April 07, 2026
Per page
