Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key โ†’
โ† Back to dashboard
clawsmith.com/signal/openclaw-april-2026-13-cves-privilege-escalation-code-exec
โš  IssueWide OpenLive

OpenClaw Patches 13 New CVEs in April 2026 Including CVSS 8.7 Privilege Escalation and 8.4 Code Execution

OpenClaw published 13 security fixes on April 9-10 2026, including CVE-2026-35639 (CVSS 8.7 privilege escalation via device.pair.approve), CVE-2026-35641 (CVSS 8.4 code exec via .npmrc), CVE-2026-41296 (CVSS 8.2 sandbox escape TOCTOU race), CVE-2026-41297 (SSRF). 138 total CVEs tracked Feb-Apr 2026.

Product Idea from this Signal

A security service that auto-patches OpenClaw CVEs within hours of disclosure before attackers exploit them

460.5k โ–ฒ

OpenClaw shipped 9 CVEs in 4 days (March 2026) including a CVSS 9.9 privilege escalation affecting 135K+ exposed instances. Most operators have no way to know which CVEs affect their version, no automated patching, and no coordination between the flood of advisories (156+ total) and their actual attack surface. This tool continuously monitors CVE feeds, maps each advisory to your installed version and enabled features, and applies safe mitigations automatically while queuing risky patches for human approval.

SECURITYCLIDEVTOOLOPEN-SOURCESYSADMIN
CompetitiveView Opportunity โ†’

Score Breakdown

GitHub
158

Social Proof 3 sources

GH
jgamblin/OpenClawCVEs: Tracking 138+ OpenClaw CVEs Feb-Apr 2026
gh:jgamblin ยท 2/15/2026
158RD
OpenClaw Security 2026: 138 CVEs, Complete Vulnerability Guide
4/15/2026
0RD
OpenClaw CVEs 2026: Complete Vulnerability Timeline
4/20/2026
0
Virality Score
158
across 0 platforms
Details
Signalissue
Ecosystemโ€”
Sources3
Platforms0
Updated42d ago
Trendโ†’ stable
Top ideas
All ideas โ†’
0A GitHub App that enforces AI agent contribution policies, detects bot-authored PRs, and blocks retaliatory behavior after maintainer rejection0A local-first sales automation framework that turns OpenClaw agents into autonomous SDRs with prospecting, enrichment, sequencing, and deal tracking running entirely on your machine0A runtime middleware that verifies messaging channel user identities against platform-native stable IDs before any command reaches an OpenClaw agent
Related signals
All signals โ†’
11.1KOpenClaw Security Crisis: 135K Exposed Instances, RCE, AMOS Stealer3.7KOpenClaw Accumulates 433 CVEs in 164 Days โ€” 2.6 Security Failures Per Day3.1KClaw Chain: 4 Chainable CVEs (44112, 44113, 44115, 44118) Enable Sandbox Escape, Data Theft, Persistence