Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
70
GitHub Actions
52
Go
3,904
Maven
5,000+
npm
5,000+
NuGet
967
pip
5,000+
Pub
13
RubyGems
1,062
Rust
1,374
Swift
54
Unreviewed advisories
All unreviewed
5,000+

60 advisories

Loading
OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose` Moderate
CVE-2026-41344 was published for openclaw (npm) Mar 31, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send High
CVE-2026-41359 was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw: Workspace provider auth choices could auto-enable untrusted provider plugins High
CVE-2026-43569 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Matrix profile config persistence was reachable from operator.write message tools High
CVE-2026-42433 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Memory dreaming config persistence was reachable from operator.write commands Moderate
CVE-2026-43568 was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway operator.write Can Reach Admin-Class Talk Voice Config Persistence via chat.send Moderate
CVE-2026-41379 was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing High
CVE-2026-41299 was published for openclaw (npm) Mar 31, 2026
zpbrent Credited to zpbrent
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup Moderate
CVE-2026-41295 was published for openclaw (npm) Apr 7, 2026
zpbrent Credited to zpbrent
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Low
CVE-2026-35624 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing Moderate
CVE-2026-35623 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Low
CVE-2026-35617 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret Moderate
CVE-2026-35628 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` Moderate
CVE-2026-35645 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Nostr profile mutation routes allowed operator.write config persistence Moderate
GHSA-f3h5-h452-vp3j was published for openclaw (npm) Apr 17, 2026
zpbrent Credited to zpbrent
OpenClaw may have stale policy enforcement for queued node actions Low
CVE-2026-35648 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token Moderate
CVE-2026-35646 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete Moderate
CVE-2026-35637 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve Critical
CVE-2026-35639 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope Moderate
CVE-2026-35619 was published for openclaw (npm) Mar 30, 2026
zpbrent Credited to zpbrent
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State Moderate
CVE-2026-35661 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting Moderate
CVE-2026-35655 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions Moderate
CVE-2026-35652 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw has Inconsistent Host Exec Environment Override Sanitization High
CVE-2026-35650 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers High
CVE-2026-35669 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing Moderate
CVE-2026-35664 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database