audr
github

public advisory ledger · shipped checks first

Audr advisory ledger

A public snapshot of shipped local checks and selected advisory triage for AI-agent configuration risk.

Only rows marked “shipped local check” are detected by Audr today. Candidate and investigating rows show advisory triage discipline, not detection coverage.

shipped local checks

78

latest advisory reviewed

2026-06-19

agent products represented

33

public snapshot updated

2026-06-20

shipped local check

Audr has a local scanner rule for this advisory signal today.

candidate local signal

Audr has identified a plausible local config, manifest, or posture signal. This is triage, not current detection.

under investigation

Audr is still validating whether there is an honest local signal. This is not current detection.

current supply-chain campaign

Mini Shai-Hulud coverage is now in Audr.

The worm is not just an npm advisory. It leaves local developer-machine evidence: package versions, AI-tool persistence hooks, workflow secret exfiltration, and dropped payload files.

  • OSV-Scanner flags known malicious npm package versions in manifests and lockfiles when dependency scanning is available.
  • Audr-native rules flag Claude Code SessionStart and VS Code folder-open persistence.
  • Audr-native rules flag toJSON(secrets) GitHub Actions exfil workflows and gh-token-monitor services.
  • A bounded node_modules IOC pass checks package-root router_init.js / tanstack_runner.js payloads without walking the full tree.
View advisory ledger → Inspect report detail →

detected today

Shipped local checks

78 public shipped rows

CVE-2026-11719

Google APIs · MCP Toolbox for Databases

HIGH · shipped local check

dependency manifest

legacy MCP protocol handlers before 1.4.0 skip per-tool scopesRequired checks.

published 2026-06-18 reviewed 2026-06-19 NVD → rule: googleapis-mcp-toolbox-legacy-protocol-scope-bypass

CVE-2026-49257

StarTreeData · mcp-pinot

CRITICAL · shipped local check

dependency manifest

mcp-pinot 3.0.1 and earlier default to an unauthenticated HTTP MCP server on 0.0.0.0:8080.

published 2026-06-18 reviewed 2026-06-19 NVD → rule: mcp-pinot-unauth-http-default

CVE-2026-48124

Cursor · Cursor Desktop

HIGH · shipped local check

plugin/hook config

workspace-defined Claude hook commands could run without dedicated approval before 3.0.0.

published 2026-06-15 reviewed 2026-06-19 NVD → rule: claude-hook-shell-rce

CVE-2026-11624

Google APIs · MCP Toolbox for Databases

HIGH · shipped local check

dependency manifest

wildcard Origin and Host defaults allow DNS rebinding against local Toolbox MCP servers before hardened startup flags are used.

published 2026-06-13 reviewed 2026-06-19 NVD → rule: googleapis-mcp-toolbox-wildcard-origin-host

CVE-2026-53838

OpenClaw · OpenClaw

CRITICAL · shipped local check

dependency manifest

node pairing reconnection can confuse approval scope decisions before 2026.5.27.

published 2026-06-12 reviewed 2026-06-17 NVD → rule: openclaw-node-pairing-reconnect-scope-confusion

CVE-2026-46519

MCP Server Kubernetes · MCP Server Kubernetes

HIGH · shipped local check

dependency manifest

tool allowlist environment variables were enforced only during tools/list before 3.6.0.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: mcp-server-kubernetes-tool-filter-bypass

CVE-2026-47250

MCP Server Kubernetes · MCP Server Kubernetes

MEDIUM · shipped local check

dependency manifest

kubectl_generic passed user-supplied flags to kubectl before 3.7.0.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: mcp-server-kubernetes-kubectl-flag-token-exfil

CVE-2026-53806

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

combined POSIX shell flags can bypass exec revalidation before 2026.5.12.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: openclaw-shell-option-revalidation-bypass

CVE-2026-53807

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

Telegram interactive callbacks can skip commands.allowFrom validation before 2026.5.6.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: openclaw-telegram-callback-allowfrom-bypass

CVE-2026-53810

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

marketplace runtime extension metadata can redirect loading toward unscanned package payloads before 2026.5.18.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: openclaw-marketplace-extension-metadata-redirect

CVE-2026-53811

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

Matrix allowFrom policy can match mutable display-name metadata before 2026.5.7.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: openclaw-matrix-allowfrom-displayname-bypass

CVE-2026-53812

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

browser-control redirects can bypass private-network navigation blocks before 2026.5.18.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: openclaw-browser-control-private-network-ssrf

CVE-2026-53813

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

memory-core artifact root resolution can traverse to unintended local package roots before 2026.4.25.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: openclaw-memory-core-artifact-root-traversal

CVE-2026-53814

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

hook-triggered agent runs can incorrectly receive owner-scoped MCP loopback access before 2026.5.20.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: openclaw-hook-triggered-owner-loopback-escalation

CVE-2026-53816

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

paired or compromised nodes can forge exec lifecycle events before 2026.5.18.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: openclaw-node-event-provenance-forgery

CVE-2026-53817

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

Control UI pairing can trust spoofed locality information before 2026.5.22.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: openclaw-control-ui-pairing-locality-spoof

CVE-2026-53819

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

workspace .env files can override Homebrew executable selection during skill install before 2026.5.27.

published 2026-06-11 reviewed 2026-06-17 NVD → rule: openclaw-skill-install-homebrew-env-override

CVE-2026-31942

LibreChat · LibreChat

HIGH · shipped local check

dependency manifest

API key updates can target another user through request body userId fields before 0.8.3.

published 2026-06-02 reviewed 2026-06-09 NVD → rule: librechat-api-keys-userid-idor

CVE-2026-32625

LibreChat · LibreChat

CRITICAL · shipped local check

dependency manifest

MCP URL placeholders resolve server environment secrets through 0.8.3.

published 2026-06-02 reviewed 2026-06-09 NVD → rule: librechat-mcp-env-secret-leak

CVE-2026-44653

LibreChat · LibreChat

MEDIUM · shipped local check

dependency manifest

VIEW users can receive decrypted admin-managed MCP secrets through 0.8.3.

published 2026-06-02 reviewed 2026-06-09 NVD → rule: librechat-mcp-admin-secret-response-leak

CVE-2026-10280

horizon921 · mcpilot

HIGH · shipped local check

dependency manifest

serverBaseUrl handling can allow SSRF in mcpilot client 0.1.0.

published 2026-06-01 reviewed 2026-06-08 NVD → rule: mcpilot-serverbaseurl-ssrf

CVE-2026-32905

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

device-pair plugin can issue bootstrap codes from non-owner chats before 2026.5.4.

published 2026-05-29 reviewed 2026-06-05 NVD → rule: openclaw-device-pair-bootstrap-scope-bypass

CVE-2026-32906

OpenClaw · OpenClaw

MEDIUM · shipped local check

dependency manifest

Slack plugin approvals use the wrong approval gate before 2026.5.12.

published 2026-05-29 reviewed 2026-06-05 NVD → rule: openclaw-slack-plugin-approval-gate-bypass

CVE-2026-34507

OpenClaw · OpenClaw

MEDIUM · shipped local check

dependency manifest

QQBot admin commands can skip DM-only and allowFrom policy before 2026.4.29.

published 2026-05-29 reviewed 2026-06-05 NVD → rule: openclaw-qqbot-admin-policy-bypass

CVE-2026-35630

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

QQBot native approval buttons miss approver identity checks before 2026.5.18.

published 2026-05-29 reviewed 2026-06-05 NVD → rule: openclaw-qqbot-approval-button-bypass

CVE-2026-35673

OpenClaw · OpenClaw

MEDIUM · shipped local check

dependency manifest

browser debug/export routes can reuse blocked tabs before 2026.4.29.

published 2026-05-29 reviewed 2026-06-05 NVD → rule: openclaw-browser-tab-ssrf-reuse

CVE-2026-35674

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

Gateway chat.send scope checks allow privileged command paths before 2026.5.18.

published 2026-05-29 reviewed 2026-06-05 NVD → rule: openclaw-gateway-chat-send-scope-bypass

CVE-2026-48116

AnythingLLM · AnythingLLM

HIGH · shipped local check

dependency manifest

filesystem search passes prompt-controlled terms to ripgrep as options before 1.13.0.

published 2026-05-28 reviewed 2026-06-04 NVD → rule: anythingllm-filesystem-rg-option-injection

CVE-2026-44830

Nocturne Memory · Nocturne Memory

HIGH · shipped local check

dependency manifest

empty API_TOKEN disables bearer-token auth before 2.4.1.

published 2026-05-27 reviewed 2026-06-03 NVD → rule: nocturne-memory-missing-api-token

CVE-2026-44450

prolix-oc · Lumiverse

CRITICAL · shipped local check

dependency manifest

MCP server args are forwarded to code-capable allowlisted binaries before 0.9.7.

published 2026-05-26 reviewed 2026-06-02 NVD → rule: lumiverse-mcp-args-rce

CVE-2026-44895

yoda-digital · GitLab MCP Server

CRITICAL · shipped local check

MCP server config

HTTP/SSE transport exposes GitLab token-backed MCP tools without authentication before 0.6.0.

published 2026-05-26 reviewed 2026-06-02 NVD → rule: gitlab-mcp-server-unauth-http

CVE-2026-9468

dazeb · cline-mcp-memory-bank

MEDIUM · shipped local check

dependency manifest

initialize projectPath handling can write outside the intended memory-bank directory.

published 2026-05-25 reviewed 2026-06-01 NVD → rule: cline-mcp-memory-bank-initialize-path-traversal

CVE-2026-9353

NousResearch · hermes-agent

HIGH · shipped local check

dependency manifest

Skills Guard multi-word prompt pattern hardening is missing before 0.15.0.

published 2026-05-24 reviewed 2026-05-30 NVD → rule: hermes-agent-skills-guard-multiword-patterns

CVE-2026-2611

MLflow · MLflow Assistant

CRITICAL · shipped local check

dependency manifest

Assistant ajax-api origin validation lets hostile pages reconfigure local agents.

published 2026-05-19 reviewed 2026-05-26 NVD → rule: mlflow-assistant-origin-bypass

CVE-2026-47090

Claude HUD · Claude HUD

MEDIUM · shipped local check

dependency manifest

OSC 8 hyperlinks use raw cwd and branch URL values through 0.0.12.

published 2026-05-18 reviewed 2026-05-25 NVD → rule: claude-hud-osc8-terminal-injection

CVE-2026-47092

Claude HUD · Claude HUD

HIGH · shipped local check

dependency manifest

COMSPEC is trusted during Windows version checks through 0.0.12.

published 2026-05-18 reviewed 2026-05-25 NVD → rule: claude-hud-comspec-command-injection

CVE-2026-44641

Microsoft · Microsoft APM

HIGH · shipped local check

dependency manifest

plugin.json component paths can escape the plugin directory before 0.8.12.

published 2026-05-15 reviewed 2026-06-08 NVD → rule: microsoft-apm-plugin-component-traversal

CVE-2026-44717

611711Dark · MCP Calculate Server

CRITICAL · shipped local check

dependency manifest

SymPy expression tool input reaches Python eval before 0.1.1.

published 2026-05-15 reviewed 2026-05-22 NVD → rule: mcp-calculate-server-eval-rce

CVE-2026-45033

GitHub · GitHub Copilot CLI

HIGH · shipped local check

plugin/hook config

nested bare Git repositories can execute configured helpers during agent git operations before 1.0.43.

published 2026-05-13 reviewed 2026-05-20 NVD → rule: copilot-cli-nested-git-config-exec

CVE-2026-43990

JunoClaw · JunoClaw plugin-shell

HIGH · shipped local check

dependency manifest

agent commands are wrapped in sh -c or cmd /C in plugin-shell 0.1.0.

published 2026-05-12 reviewed 2026-05-19 NVD → rule: junoclaw-plugin-shell-sh-c-agent-command

CVE-2026-43991

JunoClaw · JunoClaw plugin-shell

HIGH · shipped local check

dependency manifest

raw command blocklist checks can be bypassed in plugin-shell 0.1.0.

published 2026-05-12 reviewed 2026-05-19 NVD → rule: junoclaw-plugin-shell-raw-blocklist-bypass

CVE-2026-44246

Anthropic / Claude Code Action · nnU-Net issue triage workflow

HIGH · shipped local check

permissions/trust config

Issue-triggered Claude Code workflows embed untrusted issue title/body content.

published 2026-05-12 reviewed 2026-05-19 NVD → rule: gha-claude-issue-agent-injection

CVE-2026-5029

formulahendry · Code Runner MCP Server

CRITICAL · shipped local check

dependency manifest

HTTP transport exposes the run-code MCP tool without authentication on port 3088.

published 2026-05-12 reviewed 2026-05-19 NVD → rule: code-runner-mcp-unauth-http-rce

CVE-2026-43901

MCP · Wireshark MCP

MEDIUM · shipped local check

dependency manifest

export_objects accepts attacker-controlled destination directories when no allowlist is configured.

published 2026-05-11 reviewed 2026-05-18 NVD → rule: wireshark-mcp-export-objects-unbounded

CVE-2026-8305

OpenClaw · OpenClaw

MEDIUM · shipped local check

dependency manifest

BlueBubbles webhook handling is authorization-bypass prone before 2026.2.12.

published 2026-05-11 reviewed 2026-05-18 NVD → rule: openclaw-bluebubbles-webhook-auth-bypass

CVE-2026-43575

OpenClaw · OpenClaw

CRITICAL · shipped local check

dependency manifest

Sandbox noVNC helper route exposes browser session credentials.

published 2026-05-06 reviewed 2026-05-13 NVD → rule: agent-package-known-vulnerable

CVE-2026-43578

OpenClaw · OpenClaw

CRITICAL · shipped local check

dependency manifest

Async exec completions bypass heartbeat owner downgrade checks.

published 2026-05-06 reviewed 2026-05-13 NVD → rule: openclaw-async-exec-completion-owner-downgrade

CVE-2026-43581

OpenClaw · OpenClaw

CRITICAL · shipped local check

dependency manifest

Sandbox CDP relay binds Chrome DevTools to all interfaces.

published 2026-05-06 reviewed 2026-05-13 NVD → rule: openclaw-sandbox-cdp-relay-public-bind

CVE-2026-43585

OpenClaw · OpenClaw

CRITICAL · shipped local check

dependency manifest

Bearer SecretRefs are cached through token rotation.

published 2026-05-06 reviewed 2026-05-13 NVD → rule: openclaw-bearer-secretref-rotation-bypass

CVE-2026-44109

OpenClaw · OpenClaw

CRITICAL · shipped local check

dependency manifest

Feishu webhook validation fails open when auth material is blank.

published 2026-05-06 reviewed 2026-05-13 NVD → rule: openclaw-feishu-webhook-auth-bypass

CVE-2026-44110

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

Matrix room control commands trust DM pairing-store entries before 2026.4.15.

published 2026-05-06 reviewed 2026-05-13 NVD → rule: openclaw-matrix-dm-pairing-auth-bypass

CVE-2026-43534

OpenClaw · OpenClaw

CRITICAL · shipped local check

dependency manifest

External hook metadata is queued as trusted system events.

published 2026-05-05 reviewed 2026-05-12 NVD → rule: openclaw-trusted-hook-metadata-injection

CVE-2026-43566

OpenClaw · OpenClaw

CRITICAL · shipped local check

dependency manifest

Heartbeat owner downgrade weakens channel ownership boundaries.

published 2026-05-05 reviewed 2026-05-12 NVD → rule: openclaw-heartbeat-owner-downgrade

CVE-2026-7729

pixelsock · directus-mcp

LOW · shipped local check

dependency manifest

fileUrl validation can allow SSRF in directus-mcp 1.0.0.

published 2026-05-04 reviewed 2026-05-10 NVD → rule: directus-mcp-fileurl-ssrf

CVE-2026-41366

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

local media roots can be self-whitelisted before 2026.3.31.

published 2026-05-03 reviewed 2026-05-04 NVD → rule: openclaw-local-media-root-self-whitelist

CVE-2026-41368

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

jq safe-bin expressions can disclose process environment before 2026.3.28.

published 2026-05-03 reviewed 2026-05-04 NVD → rule: openclaw-jq-env-disclosure

CVE-2026-41370

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

ACP attachment paths can traverse outside the workspace before 2026.3.31.

published 2026-05-03 reviewed 2026-05-04 NVD → rule: openclaw-acp-attachment-path-traversal

CVE-2026-7221

TencentCloudBase · CloudBase-MCP

MEDIUM · shipped local check

dependency manifest

openUrl can be abused for SSRF before CloudBase-MCP 2.17.1.

published 2026-04-29 reviewed 2026-05-04 NVD → rule: cloudbase-mcp-openurl-ssrf

CVE-2026-7417

Algovate · xhs-mcp

MEDIUM · shipped local check

dependency manifest

MCP media_paths handling can be steered into SSRF in 0.8.11.

published 2026-04-29 reviewed 2026-05-06 NVD → rule: xhs-mcp-media-paths-ssrf

CVE-2026-41378

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

node.event requests can reach unrestricted gateway tools.

published 2026-04-28 reviewed 2026-05-05 NVD → rule: openclaw-node-event-tool-access

CVE-2026-41386

OpenClaw · OpenClaw

CRITICAL · shipped local check

dependency manifest

Bootstrap setup codes are not role-bound during first-use pairing.

published 2026-04-28 reviewed 2026-05-05 NVD → rule: openclaw-unbound-bootstrap-setup-code

CVE-2026-41394

OpenClaw · OpenClaw

HIGH · shipped local check

plugin/hook config

plugin-auth routes receive operator runtime write scopes without auth.

published 2026-04-28 reviewed 2026-05-05 NVD → rule: openclaw-plugin-auth-operator-write-bypass

CVE-2026-41396

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

Workspace .env overrides the bundled plugin trust root.

published 2026-04-28 reviewed 2026-05-05 NVD → rule: openclaw-bundled-plugins-env-override

CVE-2026-41399

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

WebSocket upgrades consume socket and worker capacity before auth.

published 2026-04-28 reviewed 2026-05-05 NVD → rule: openclaw-websocket-upgrade-exhaustion

CVE-2026-41404

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

Trusted-proxy scope clearing lets non-Control-UI clients self-declare operator scopes.

published 2026-04-28 reviewed 2026-05-05 NVD → rule: openclaw-trusted-proxy-scope-clearing

CVE-2026-41405

OpenClaw · OpenClaw

HIGH · shipped local check

plugin/hook config

MS Teams webhook bodies are parsed before JWT validation.

published 2026-04-28 reviewed 2026-05-05 NVD → rule: openclaw-teams-webhook-preauth-body-dos

CVE-2026-42422

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

device.token.rotate can mint roles that were not approved for the device.

published 2026-04-28 reviewed 2026-05-05 NVD → rule: openclaw-device-token-role-minting

CVE-2026-42426

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

node.pair.approve accepts broad operator.write instead of pairing scope.

published 2026-04-28 reviewed 2026-05-05 NVD → rule: openclaw-node-pair-approve-scope-bypass

CVE-2026-7316

eiliyaabedini · aider-mcp

MEDIUM · shipped local check

dependency manifest

working_dir and editable_files handling can allow command injection in vulnerable GitHub source installs.

published 2026-04-28 reviewed 2026-05-05 NVD → rule: aider-mcp-working-dir-editable-files-command-injection

CVE-2026-7146

AlejandroArciniegas · mcp-data-vis

MEDIUM · shipped local check

dependency manifest

web-scraper URL handling can be abused for SSRF in 1.0.0.

published 2026-04-27 reviewed 2026-05-04 NVD → rule: mcp-data-vis-web-scraper-ssrf

CVE-2026-7147

JoeCastrom · mcp-chat-studio

MEDIUM · shipped local check

dependency manifest

model API base_url handling can allow SSRF through 1.5.0.

published 2026-04-27 reviewed 2026-05-04 NVD → rule: mcp-chat-studio-models-base-url-ssrf

CVE-2026-7157

disler · aider-mcp-server

MEDIUM · shipped local check

dependency manifest

editable file path handling can lead to command injection in 0.1.0.

published 2026-04-27 reviewed 2026-05-04 NVD → rule: aider-mcp-server-relative-editable-files-command-injection

CVE-2026-7158

dmitryglhf · mcp-url-downloader

MEDIUM · shipped local check

dependency manifest

URL validation can be bypassed for SSRF in 0.1.0.

published 2026-04-27 reviewed 2026-05-04 NVD → rule: mcp-url-downloader-validate-url-safe-ssrf

CVE-2026-41336

OpenClaw · OpenClaw

HIGH · shipped local check

plugin/hook config

Workspace .env overrides the bundled hooks trust root.

published 2026-04-23 reviewed 2026-04-23 NVD → rule: openclaw-bundled-hooks-env-override

CVE-2026-41349

OpenClaw · OpenClaw

HIGH · shipped local check

dependency manifest

config.patch can silently disable execution approval.

published 2026-04-23 reviewed 2026-04-23 NVD → rule: openclaw-config-patch-consent-bypass

CVE-2025-59536

Anthropic · Claude Code

CRITICAL · shipped local check

plugin/hook config

Settings hooks execute arbitrary shell on PreToolUse / Stop events.

published 2026-04-18 reviewed 2026-04-18 NVD → rule: claude-hook-shell-rce

CVE-2026-25253

OpenClaw · OpenClaw

HIGH · shipped local check

MCP server config

MCP credentials stored plaintext in user-readable config.

published 2026-04-08 reviewed 2026-04-08 NVD → rule: mcp-plaintext-api-key

CVE-2026-39861

Anthropic · Claude Code

HIGH · shipped local check

permissions/trust config

Symlink in workspace allows sandbox escape on read.

published 2026-03-30 reviewed 2026-03-30 NVD → rule: claude-skip-permission-prompt

public-safe research snapshot

Selected advisory triage

These rows are not detected by Audr unless marked shipped. They show where Audr is evaluating honest local-config evidence next.

capped at 12 rows

CVE-2026-48814

Network-AI · Network-AI

CRITICAL · candidate local signal

dependency manifest

Network-AI is a TypeScript/Node.js multi-agent orchestrator. In versions 5.7.1 and earlier, the MCP SSE server allows unauthenticated cross-origin MCP tool…

published 2026-06-17 reviewed 2026-06-19 NVD →

CVE-2026-48989

CursorTouch · Windows-MCP

HIGH · candidate local signal

dependency manifest

Windows-MCP is an open-source project that integrates AI agents with Windows. In versions prior to 0.7.5, certain HTTP modes exposed the MCP control plane…

published 2026-06-17 reviewed 2026-06-19 NVD →

CVE-2026-53820

OpenClaw · OpenClaw

MEDIUM · candidate local signal

dependency manifest

OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to…

published 2026-06-12 reviewed 2026-06-17 NVD →

CVE-2026-53821

OpenClaw · OpenClaw

HIGH · candidate local signal

dependency manifest

OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization…

published 2026-06-12 reviewed 2026-06-17 NVD →

CVE-2026-53822

OpenClaw · OpenClaw

HIGH · candidate local signal

dependency manifest

OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution. Attackers can…

published 2026-06-12 reviewed 2026-06-17 NVD →

CVE-2026-53823

OpenClaw · OpenClaw

HIGH · candidate local signal

dependency manifest

OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with…

published 2026-06-12 reviewed 2026-06-17 NVD →

CVE-2026-53824

OpenClaw · OpenClaw

MEDIUM · candidate local signal

dependency manifest

OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor…

published 2026-06-12 reviewed 2026-06-19 NVD →

CVE-2026-53825

OpenClaw · OpenClaw

MEDIUM · candidate local signal

dependency manifest

OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with…

published 2026-06-12 reviewed 2026-06-17 NVD →

CVE-2026-53826

OpenClaw · OpenClaw

MEDIUM · candidate local signal

dependency manifest

OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child…

published 2026-06-12 reviewed 2026-06-17 NVD →

CVE-2026-53827

OpenClaw · OpenClaw

MEDIUM · candidate local signal

dependency manifest

OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action…

published 2026-06-12 reviewed 2026-06-17 NVD →

CVE-2026-53828

OpenClaw · OpenClaw

HIGH · candidate local signal

dependency manifest

OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in native command handling that allows authenticated senders to execute owner-only…

published 2026-06-12 reviewed 2026-06-17 NVD →

CVE-2026-53829

OpenClaw · OpenClaw

HIGH · candidate local signal

dependency manifest

OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers.…

published 2026-06-12 reviewed 2026-06-17 NVD →

Static public snapshot generated 2026-06-20T16:42:04Z from advisory triage reviewed through 2026-06-19. This page is not a live vulnerability feed.