Six New OpenClaw Vulnerabilities Patched

Timeline

1. 19.02.2026 12:00 1 articles · 12h ago

   Six New OpenClaw Vulnerabilities Patched

   OpenClaw has patched six new vulnerabilities in its agentic AI assistant, including server-side request forgery (SSRF), missing authentication, and path traversal bugs. The vulnerabilities range from moderate to high severity, with some lacking CVE IDs. The flaws affect various components, including the Gateway tool, Telnyx webhook authentication, and browser upload functionality. Endor Labs highlighted the importance of data flow analysis and defense-in-depth validation for AI agent infrastructure. The research also revealed ongoing security concerns, such as misconfigured instances exposed to the public internet and the risk of indirect prompt injection. One additional vulnerability remains unpatched, and major security concerns persist over OpenClaw's undocumented enterprise use.

   Show sources

   • Researchers Reveal Six New OpenClaw Vulnerabilities — www.infosecurity-magazine.com — 19.02.2026 12:00

   Open in new tab

Information Snippets

• CVE-2026-26322: SSRF bug in OpenClaw’s Gateway tool (CVSS 7.6).

  First reported: 19.02.2026 12:00
  1 source, 1 article
  Show sources

  • Researchers Reveal Six New OpenClaw Vulnerabilities — www.infosecurity-magazine.com — 19.02.2026 12:00

• CVE-2026-26319: Missing Telnyx webhook authentication (CVSS 7.5).

  First reported: 19.02.2026 12:00
  1 source, 1 article
  Show sources

  • Researchers Reveal Six New OpenClaw Vulnerabilities — www.infosecurity-magazine.com — 19.02.2026 12:00

• CVE-2026-26329: Path traversal in browser upload (high severity, no CVSS).

  First reported: 19.02.2026 12:00
  1 source, 1 article
  Show sources

  • Researchers Reveal Six New OpenClaw Vulnerabilities — www.infosecurity-magazine.com — 19.02.2026 12:00

• High severity SSRF in OpenClaw’s image tool (GHSA-56f2-hvwg-5743, CVSS 7.6).

  First reported: 19.02.2026 12:00
  1 source, 1 article
  Show sources

  • Researchers Reveal Six New OpenClaw Vulnerabilities — www.infosecurity-magazine.com — 19.02.2026 12:00

• Moderate severity SSRF in Urbit authentication (GHSA-pg2v-8xwh-qhcc, CVSS 6.5).

  First reported: 19.02.2026 12:00
  1 source, 1 article
  Show sources

  • Researchers Reveal Six New OpenClaw Vulnerabilities — www.infosecurity-magazine.com — 19.02.2026 12:00

• Moderate severity Twilio webhook authentication bypass (GHSA-c37p-4qqg-3p76, CVSS 6.5).

  First reported: 19.02.2026 12:00
  1 source, 1 article
  Show sources

  • Researchers Reveal Six New OpenClaw Vulnerabilities — www.infosecurity-magazine.com — 19.02.2026 12:00

• One additional vulnerability remains unpatched.

  First reported: 19.02.2026 12:00
  1 source, 1 article
  Show sources

  • Researchers Reveal Six New OpenClaw Vulnerabilities — www.infosecurity-magazine.com — 19.02.2026 12:00

• Tens of thousands of misconfigured OpenClaw instances exposed to the public internet.

  First reported: 19.02.2026 12:00
  1 source, 1 article
  Show sources

  • Researchers Reveal Six New OpenClaw Vulnerabilities — www.infosecurity-magazine.com — 19.02.2026 12:00

• Three high-severity CVEs in OpenClaw have public exploit code available.

  First reported: 19.02.2026 12:00
  1 source, 1 article
  Show sources

  • Researchers Reveal Six New OpenClaw Vulnerabilities — www.infosecurity-magazine.com — 19.02.2026 12:00