CVE Vulnerabilities - 3 April 2026

A security flaw in OpenClaw, a Discord bot, allows hackers to bypass security checks and access voice chat channels without permission. This issue affects all versions of OpenClaw up to and including ...

A bug in OpenClaw's Discord integration causes group messages to be incorrectly identified as direct messages, which can lead to unintended consequences in your messaging setup. This issue affects ver...

The OpenClaw diffs viewer incorrectly identifies remote requests as local requests when a security setting is turned off, potentially allowing unauthorized access to sensitive data. This is a relative...

The Discord voice manager in OpenClaw does not properly control access to voice channels, allowing unauthorized members to join and participate in voice conversations. This could lead to sensitive inf...

A security flaw in OpenClaw allows an untrusted model to replace critical compiler binaries, which could potentially lead to malicious code being executed. This issue affects versions of OpenClaw up t...

A high-risk issue exists in OpenClaw versions up to 2026.3.28, where a workspace's .env file can override the trust settings for bundled plugins. This could allow an attacker to gain unauthorized acce...

A security weakness in Tornado's cookie handling could allow an attacker to manipulate cookie settings. This could lead to unauthorized access to sensitive information. Update to Tornado 6.5.5 or late...

A user with a valid login can install custom packages without needing admin privileges. This is fixed in version 2.2.15. Upgrade to this version to fix the issue.

## Summary The `GET /api/website/title` endpoint accepts an arbitrary URL via the `website_url` query parameter and makes a server-side HTTP request to it without any validation of the target host or...

A security issue in OpenClaw allows malicious apps to read files and steal sensitive information, including login credentials. This issue affects versions of OpenClaw up to 2026.3.28. To fix it, updat...

If you use Antrea with dual-stack networking and encryption, some data may be sent unencrypted. This is a security risk, especially for sensitive information. To fix this, update to Antrea version 2.6...

A security risk exists in Kedro's file loading feature. An attacker could use a specially crafted version string to access files outside the intended directory, potentially leading to unauthorized dat...

A vulnerability in the macOS OpenClaw package allows attackers who are on the same network as the user to trick the system into thinking they are a trusted authority and steal the user's login credent...

A security flaw in OpenClaw version 2026.3.24 and earlier allows attackers to read arbitrary files on your server. This means that a malicious user could potentially access sensitive data they shouldn...

Some Electron-based apps may crash or malfunction when using power-saving features on Windows or macOS. This is due to a software bug that affects apps that use power-saving alerts. To fix the issue, ...

If you use OpenClaw, a bug can allow an attacker to keep access to your account even if you decline a new endpoint. This is because OpenClaw doesn't properly remove the endpoint when you decline it. T...

An update to the OpenClaw software allows unauthorized Telegram group senders to use up your resources, such as CPU and storage. This is not a direct security threat, but it can cause financial issues...

A medium-severity issue in OpenClaw's voice call feature allows an attacker to cause resource consumption by sending large WebSocket frames before they are fully validated. This issue affects versions...

A recent update to OpenClaw's control interface inadvertently exposed sensitive information, such as version numbers and agent IDs. This information disclosure is not a major security risk, but it cou...

A bug in OpenClaw's image processing can cause it to crash when dealing with extremely large images, leading to a denial-of-service (DoS) situation. This affects users who rely on OpenClaw for image p...

The OpenClaw package for Discord audio transcription processes sensitive audio data before checking if the user is authorized, which could potentially expose confidential information. This issue has b...

An earlier version of OpenClaw could restore revoked settings after a restart, allowing unauthorized access. This has been fixed in version 2026.3.31. Update to the latest version to ensure security a...

Electron apps that enable Node.js integration in shared processes may be vulnerable to security risks. If you use Electron, avoid enabling Node.js integration in apps that open child windows or embed ...

Some Electron apps on macOS can be tricked into running malicious AppleScript code if the user agrees to move the app to the Applications folder. This is a risk if your Electron app uses the `app.move...

An attacker can manipulate the password reset process by controlling the Host header in Shynet, potentially leading to account takeover. Users of Shynet versions prior to 0.14.0 should update to the l...