Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
49
GitHub Actions
49
Go
3,416
Maven
5,000+
npm
5,000+
NuGet
882
pip
4,657
Pub
13
RubyGems
1,027
Rust
1,209
Swift
53
Unreviewed advisories
All unreviewed
5,000+

30 advisories

Loading
OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes Moderate
CVE-2026-32045 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback) Moderate
CVE-2026-32896 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
OpenClaw has a IPv6 multicast SSRF classifier bypass Moderate
GHSA-h97f-6pqj-q452 was published for openclaw (npm) Mar 3, 2026
zpbrent Credited to zpbrent
OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP Moderate
GHSA-8cp7-rp8r-mg77 was published for openclaw (npm) Mar 4, 2026
zpbrent Credited to zpbrent
OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots Moderate
GHSA-j425-whc4-4jgc was published for openclaw (npm) Mar 9, 2026
tdjackey Credited to tdjackey, SnailSploit, and zpbrent SnailSploit SnailSploit
zpbrent zpbrent
OpenClaw's MS Teams sender allowlist bypass when route allowlist is configured and sender allowlist is empty Moderate
CVE-2026-34506 was published for openclaw (npm) Mar 12, 2026
zpbrent Credited to zpbrent
ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation Moderate
GHSA-4cm8-xpfv-jv6f was published for zeptoclaw (Rust) Mar 12, 2026
zpbrent Credited to zpbrent
OpenClaw: Discord guild reaction ingress could bypass users and roles allowlists Moderate
GHSA-9vvh-2768-c8vp was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw's Zalouser allowlist authorization matched mutable group names by default Moderate
GHSA-f5mf-3r52-r83w was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu reaction events could bypass group authorization and mention gating Moderate
GHSA-m69h-jm2f-2pv8 was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Exec approval allowlist patterns overmatched on POSIX paths Moderate
GHSA-f8r2-vg7x-gh8m was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation Moderate
CVE-2026-34505 was published for openclaw (npm) Mar 13, 2026
zpbrent Credited to zpbrent
OpenClaw may have stale policy enforcement for queued node actions Moderate
GHSA-wj55-88gf-x564 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status Moderate
GHSA-ppwq-6v66-5m6j was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions Moderate
GHSA-8883-9w57-vwv6 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete Moderate
GHSA-vfg3-pqpq-93m4 was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: Nextcloud Talk room allowlist matched colliding room names instead of stable room tokens Moderate
GHSA-xhq5-45pm-2gjr was published for openclaw (npm) Mar 26, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles Webhook Missing Rate Limiting Enables Brute-Force Password Guessing Moderate
GHSA-xq8g-hgh6-87hv was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers Moderate
GHSA-9wqx-g2cw-vc7r was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: BlueBubbles Group Reactions Bypass requireMention and Still Enqueue Agent-Visible System Events Moderate
GHSA-mw7w-g3mg-xqm7 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret Moderate
GHSA-vcx4-4qxg-mfp4 was published for openclaw (npm) Mar 27, 2026
zpbrent Credited to zpbrent
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope Moderate
GHSA-5jvj-hxmh-6h6j was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName Moderate
GHSA-52q4-3xjc-6778 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing Moderate
GHSA-77w2-crqv-cmv3 was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback Moderate
GHSA-rf6h-5gpw-qrgq was published for openclaw (npm) Mar 29, 2026
zpbrent Credited to zpbrent
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database