NextGuard
Back to blog
CVSS 7.5CVE-2026-27670CVE-2026-28461CVE-2026-32039

Multiple OpenClaw Vulnerabilities Patched

Critical security update for OpenClaw. Multiple vulnerabilities patched, including potential for code execution and authorization bypass. Update to the latest version now!

Published on

A series of vulnerabilities have been discovered in OpenClaw, a nodejs component, potentially leading to remote code execution, denial of service, authorization bypass, and sensitive information disclosure. These vulnerabilities affect various aspects of OpenClaw, including its core functionality and plugin ecosystem. Patched versions are now available; users are strongly advised to update immediately.

These vulnerabilities range from medium to critical, posing significant risks to OpenClaw deployments.

What is OpenClaw?

OpenClaw is a versatile component built for the nodejs environment, offering a range of functionalities. It's designed to streamline various tasks within nodejs applications. However, like any software, OpenClaw is subject to vulnerabilities that can compromise its security and stability. To learn more about OpenClaw and its security, you can search all openclaw CVEs.

CVE-2026-27670: OpenClaw ZIP Extraction Race Condition

CVSS7.5
Affected versionsThis vulnerability affects OpenClaw versions 2026.3.1 and earlier.

High severity due to potential for arbitrary file write.

EPSS score of 0.012 indicates a low probability of exploitation.

A race condition exists in OpenClaw's ZIP extraction process. Attackers could potentially write outside the intended destination directory by manipulating symlinks during the extraction.

How to fix CVE-2026-27670 in OpenClaw

Patch immediately
  1. 1.Update the `openclaw` package to version 2026.3.2 or later.
Update OpenClaw
npm update openclaw

Workaround: There is no known workaround. Update to the patched version.

NextGuard automatically flags CVE-2026-27670 if `openclaw` appears in any of your monitored projects — no manual lookup required.

CVE-2026-28461: OpenClaw Unbounded Memory Growth in Zalo Webhook

CVSS7.5
Affected versionsThis vulnerability affects OpenClaw versions 2026.2.26 and earlier.

High severity due to potential for denial of service.

EPSS score of 0.093 suggests a moderate probability of exploitation.

Unauthenticated requests to the Zalo webhook endpoint can cause unbounded memory growth. By varying query strings, attackers can exhaust memory resources, leading to a denial of service.

How to fix CVE-2026-28461 in OpenClaw

Patch immediately
  1. 1.Update the `openclaw` package to version 2026.3.1 or later.
Update OpenClaw
npm update openclaw

Workaround: There is no known workaround. Update to the patched version.

NextGuard automatically flags CVE-2026-28461 if `openclaw` appears in any of your monitored projects — no manual lookup required.

CVE-2026-32039: OpenClaw Sender-Key Matching Policy Bypass

CVSS5.9
Affected versionsThis vulnerability affects OpenClaw versions 2026.2.21-2 and earlier.

Medium severity due to potential for authorization bypass.

EPSS score of 0.024 indicates a low probability of exploitation.

A sender-authorization bypass exists in group tool policy matching. When using untyped keys, an attacker could inherit stronger tool permissions intended for another sender.

How to fix CVE-2026-32039 in OpenClaw

Patch within 7 days
  1. 1.Update the `openclaw` package to version 2026.2.22 or later.
Update OpenClaw
npm update openclaw

Workaround: Ensure `toolsBySender` uses explicit typed sender keys.

NextGuard automatically flags CVE-2026-32039 if `openclaw` appears in any of your monitored projects — no manual lookup required.

CVE-2026-32041: OpenClaw Browser Control Startup Authentication Bypass

CVSS6.9
Affected versionsThis vulnerability affects OpenClaw versions 2026.2.26 and earlier.

Medium severity due to potential for unauthorized access.

EPSS score of 0.017 indicates a low probability of exploitation.

Browser control startup could continue unauthenticated after an auth bootstrap failure. This exposes browser-control routes without authentication.

How to fix CVE-2026-32041 in OpenClaw

Patch immediately
  1. 1.Update the `openclaw` package to version 2026.3.1 or later.
Update OpenClaw
npm update openclaw

Workaround: Ensure explicit auth credentials are configured for browser control.

NextGuard automatically flags CVE-2026-32041 if `openclaw` appears in any of your monitored projects — no manual lookup required.

CVE-2026-32040: OpenClaw HTML Injection Vulnerability

CVSS4.6
Affected versionsThis vulnerability affects OpenClaw versions prior to 2026.2.23.

Low severity due to limited exploitability.

EPSS score of 0.024 indicates a low probability of exploitation.

OpenClaw is vulnerable to HTML injection via unvalidated image MIME type in data-URL interpolation. A crafted `mimeType` value can break out of the attribute context and execute arbitrary JavaScript.

How to fix CVE-2026-32040 in OpenClaw

Patch within 7 days
  1. 1.Update the `openclaw` package to version 2026.2.23 or later.
Update OpenClaw
npm update openclaw

Workaround: Sanitize image MIME types in session data.

NextGuard automatically flags CVE-2026-32040 if `openclaw` appears in any of your monitored projects — no manual lookup required.

Stay ahead of nodejs vulnerabilities

Proactively detect and remediate nodejs security threats. monitor your nodejs dependencies with real-time alerts and actionable insights.

Compare features

Frequently asked questions

These vulnerabilities highlight the importance of keeping your OpenClaw deployments up-to-date. Regularly patching your dependencies is crucial for maintaining a secure environment. see all nodejs vulnerabilities.

Related topics

nodejs securityvulnerability managementpatch managementapplication securityOpenClaw