Kexna

#10047of 53,625
27.4Total CVSS
Vulnerabilities · 5
Low
1
Medium
3
High
1
PT-2026-35798
5.4
2026-04-09
Openclaw · Openclaw · CVE-2026-41916
**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.8 **Description** An authentication state management issue exists where the `resolvedAuth` closure becomes stale following a configuration reload. This allows newly accepted gateway connections to utilize an outdated authentication state, enabling attackers to bypass authentication controls by triggering configuration reload operations. **Recommendations** Update to version 2026.4.8.
PT-2026-35800
5.9
2026-04-09
Openclaw · Openclaw · CVE-2026-42421
**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.8 **Description** A session management issue exists where WebSocket sessions persist after shared gateway token rotation. This allows attackers to maintain unauthorized access to WebSocket connections because the system fails to disconnect sessions associated with the rotated shared token. **Recommendations** Update to version 2026.4.8.
PT-2026-35806
7.1
2026-04-09
Openclaw · Openclaw · CVE-2026-42428
**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.8 **Description** OpenClaw fails to enforce integrity verification on downloaded plugin archives. This allows attackers to install malicious or tampered plugin packages without detection, which can compromise the local assistant environment. **Recommendations** Update to version 2026.4.8.
PT-2026-35790
5.3
2026-04-07
Openclaw · Openclaw · CVE-2026-41407
**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.2 **Description** A timing side channel occurs in shared-secret comparison call sites that utilize early length-mismatch checks rather than fixed-length comparison helpers. This allows attackers to measure timing differences to leak information regarding the length of the secret, which weakens the constant-time handling of shared secrets. **Recommendations** Update to version 2026.4.2.
PT-2026-34764
3.7
2026-04-03
Openclaw · Openclaw · CVE-2026-41333
**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** An authentication rate limiting bypass allows attackers to circumvent shared authentication protections by using fake device tokens. By exploiting the mixed WebSocket authentication flow, attackers can bypass rate limiting controls to perform brute force attacks against weak shared passwords. **Recommendations** Update to version 2026.3.31.