How many CVEs did OpenClaw fix in April 2026?

13 security fixes were published on April 9-10, 2026, including privilege escalation (CVSS 8.7), arbitrary code execution (CVSS 8.4), and OAuth PKCE verifier exposure.

What is CVE-2026-35639 in OpenClaw?

A CVSS 8.7 privilege escalation vulnerability where an agent session can resolve and access a different user session by manipulating the sessionId parameter.

What is CVE-2026-35641 in OpenClaw?

A CVSS 8.4 arbitrary code execution flaw targeting .npmrc files during local plugin installation. Scoped credentials and custom registry entries from plugin .npmrc files are now ignored.

What version of OpenClaw fixes the April 2026 CVEs?

Update to version 2026.4.5 or later to get all 13 April 2026 security patches.

How many total CVEs does OpenClaw have?

138+ CVEs tracked from February through April 2026, including 7 Critical and 49 High severity issues.

← Back to dashboard

clawsmith.com/signal/openclaw-13-cves-april-2026-security-batch

⚠ IssueWide OpenLive

OpenClaw Publishes 13 Security Fixes in April 2026 Including CVSS 8.7 Privilege Escalation

Batch of 13 CVEs patched April 9-10, 2026. Includes CVE-2026-35639 (CVSS 8.7 privesc), CVE-2026-35641 (CVSS 8.4 arbitrary code exec), and OAuth PKCE verifier exposure.

Product Idea from this Signal

A CLI tool that validates OpenClaw workspace integrity and blocks .env injection, config poisoning, and prompt injection before the agent boots

1.7k ▲

OpenClaw loads .env files from the current working directory before its trusted configuration, and trusts heartbeat context inheritance without proper validation. CVE-2026-41294 (CVSS 8.6) and CVE-2026-41329 (CVSS 9.9) exploit these pre-boot trust assumptions. With 138+ CVEs tracked in 63 days and 397-point HN posts calling the platform a security nightmare, operators need a pre-boot safety gate that catches workspace-level attacks before the agent gets any execution context.

CLISECURITYOPEN-SOURCEDEVTOOLPRE-BOOT

CompetitiveView Opportunity →