Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

53 advisories

Loading
OpenClaw: Native command authorization could skip owner-command enforcement High
GHSA-p73f-w79w-jqr5 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Telegram interactive callbacks could skip commands.allowFrom High
GHSA-w5ww-7chg-mxcq was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers Moderate
CVE-2026-53818 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Feishu dynamic-agent bindings could miss configWrites enforcement Low
GHSA-3wqp-prf6-2m72 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Embedded runner policy could be confused by provider aliases Moderate
CVE-2026-53809 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: QQBot pre-dispatch slash commands could skip allowFrom checks Moderate
GHSA-77pv-3w4q-vrj5 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Mattermost handlers could fall open when channel type was missing Moderate
GHSA-gp79-m99v-gjmh was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Skill Workshop apply flow could override pending approval Moderate
GHSA-cqwv-9qjx-vxw2 was published for openclaw (npm) Jul 2, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state Moderate
CVE-2026-53854 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Empty-scope device re-pairing could confuse caller scope containment Low
CVE-2026-53852 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Focus command could miss controlScope enforcement Moderate
CVE-2026-53850 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: memory-wiki shared search could miss session visibility checks Moderate
CVE-2026-53844 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Skill-command dispatch could skip before-tool-call hooks Low
CVE-2026-53845 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Active Memory write scope could mutate global config Moderate
CVE-2026-53847 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags Moderate
CVE-2026-53861 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Tool group policy callers could accept unvalidated group IDs Moderate
CVE-2026-53863 was published for openclaw (npm) Jun 18, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
Mermaid: Improper sanitization of configuration leads to CSS injection Moderate
CVE-2026-41159 was published for mermaid (npm) May 11, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and aloisklink KeenSecurityLab KeenSecurityLab
aloisklink aloisklink
Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection Moderate
CVE-2026-41149 was published for mermaid (npm) May 11, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and aloisklink KeenSecurityLab KeenSecurityLab
aloisklink aloisklink
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes High
GHSA-cwj3-vqpp-pmxr was published for openclaw (npm) May 5, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw's Gateway Control UI bootstrap config required Gateway auth Moderate
GHSA-93rg-2xm5-2p9v was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw's ACP child sessions inherit subagent security envelope constraints Moderate
CVE-2026-44997 was published for openclaw (npm) May 4, 2026
zsxsoft Credited to zsxsoft, qclawer, and KeenSecurityLab qclawer qclawer
KeenSecurityLab KeenSecurityLab
OpenClaw: Webchat audio embedding could read local files without local-root containment Moderate
GHSA-gfg9-5357-hv4c was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners Moderate
CVE-2026-44991 was published for openclaw (npm) Apr 29, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Agent gateway config mutations could change protected operator settings Moderate
GHSA-7jm2-g593-4qrc was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy Moderate
GHSA-qrp5-gfw2-gxv4 was published for openclaw (npm) Apr 25, 2026
zsxsoft Credited to zsxsoft, KeenSecurityLab, and qclawer KeenSecurityLab KeenSecurityLab
qclawer qclawer
ProTip! Advisories are also available from the GraphQL API