Security Advisories
A list of vulnerabilities (CVE / GHSA) publicly disclosed by Tencent Zhuque Lab. View as JSONopen_in_new
bug_report
Vulnerabilities
67
deployed_code
Products
21
leaderboard
Severity Breakdown
-
open_in_newMedium CVE-2026-42426 CWE-269/CWE-863
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newMedium CVE-2026-42428 CWE-353
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification
deployed_code Affected: openclaw < 2026.4.8 calendar_today Published: April 09, 2026 -
open_in_newMedium GHSA-846p-hgpv-vphc CWE-22
OpenClaw: QQ Bot structured payloads could read arbitrary local files
deployed_code Affected: openclaw <= 2026.4.1 calendar_today Published: April 07, 2026 -
open_in_newMedium CVE-2026-41407 CWE-208
OpenClaw: Shared-secret comparison call sites leaked length information through timing
deployed_code Affected: openclaw <= 2026.4.1 calendar_today Published: April 07, 2026 -
open_in_newMedium CVE-2026-41333 CWE-307/CWE-799
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
deployed_code Affected: openclaw <= 2026.3.28 calendar_today Published: April 03, 2026 -
open_in_newMedium CVE-2026-41332 CWE-184
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
deployed_code Affected: openclaw <= 2026.3.24 calendar_today Published: March 31, 2026 -
open_in_newMedium CVE-2026-4706 CWE-754
Incorrect boundary conditions in the Graphics: Canvas2D component
deployed_code Affected: firefox < 115.34; < 140.9; < 149 calendar_today Published: March 24, 2026 -
open_in_newMedium CVE-2026-32018 CWE-362
OpenClaw's serialize sandbox registry writes to prevent races and delete-rollback corruption
deployed_code Affected: openclaw < 2026.2.19 calendar_today Published: March 03, 2026 -
open_in_newMedium CVE-2026-27007 CWE-1254
OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation
deployed_code Affected: openclaw < 2026.2.15 calendar_today Published: February 18, 2026 -
open_in_newMedium CVE-2025-68785
net: openvswitch: fix middle attribute validation in push_nsh() action
deployed_code Affected: Linux / openvswitch >= 4.15, < 5.10.248; >= 4.15, < 5.15.198; >= 4.15, < 6.1.160; >= 4.15, < 6.6.120; >= 4.15, < 6.12.64; >= 4.15, < 6.18.3; >= 4.15, < 6.19 calendar_today Published: January 13, 2026
Per page
