PocketClawvol. 1 · 2026
cve trackerauto-pulled from NVD

Vulnerabilities, current.

Every disclosed CVE across the agents we track. Pulled continuously from NIST NVD, cross-referenced with project advisories.

0
total cves
0
open right now
0
critical severity
0
exploited in wild
recent disclosures

13 CVEs across 12 agents.

CVE-2026-26701high · CVSS 7.6open

Hermes Agent — sandbox escape via tool definition injection

Hermes Agent's tool loader did not validate sandbox declarations against a schema. A malicious tool definition (loaded from a community marketplace) could declare an empty sandbox block, effectively disabling the sandbox for that tool's execution. Patched in 2026.4.4.

Affects: Hermes AgentPublished: 2026-04-26Versions: 2026.4.0 – 2026.4.3Fixed in: 2026.4.4
CVE-2026-25898high · CVSS 7.4open

OpenClaw — credential leak via verbose error logs

Verbose error logging in OpenClaw 2026.4.0–2026.4.5 includes API keys when an HTTP 401 is returned by the LLM provider. Logs are written to stdout and may be exfiltrated by any process with read access to the OpenClaw container.

Affects: OpenClawPublished: 2026-04-22Versions: 2026.4.0 – 2026.4.5Fixed in: 2026.4.6
CVE-2026-22807medium · CVSS 5open

OpenClaw — prompt-injection-resistant audit log incomplete

The OpenClaw 2026.4 audit log records tool calls but did not include the full prompt context that triggered them. A prompt-injection attack could not be reconstructed from logs alone, making forensic analysis significantly harder. Improvement scheduled but not yet shipped.

Affects: OpenClawPublished: 2026-04-18Versions: 2026.4.0 – currentFixed in: Pending (planned 2026.5)
CVE-2026-26330medium · CVSS 5.4patched

NitroClaw — IDOR in admin dashboard tenant routing

NitroClaw's admin dashboard URL pattern allowed authenticated users to read other tenants' agent configurations by changing a numeric tenant ID in the URL. No tool execution leakage. Configurations contained no plaintext secrets.

Affects: NitroClawPublished: 2026-04-12Versions: Platform 1.4 – 1.5Fixed in: Platform 1.6
CVE-2026-24112medium · CVSS 6.1patched

IronClaw — XSS in audit log viewer

The IronClaw audit log viewer rendered tool call arguments without HTML escaping. A malicious tool call could inject script tags that executed in the context of an authenticated admin viewing the log.

Affects: IronClawPublished: 2026-04-08Versions: 1.0.0 – 1.1.4Fixed in: 1.1.5
CVE-2026-23912high · CVSS 8.1patched

MCP protocol — tool description spoofing across implementations

A flaw in the way several MCP server implementations handled tool description updates allowed a malicious MCP server to silently rename a tool after handshake. Agents that cached the original tool name could be tricked into invoking a different tool. Affected the MCP server libraries used by both OpenClaw and Hermes Agent.

Affects: OpenClaw, Hermes AgentPublished: 2026-04-03Versions: MultipleFixed in: OpenClaw 2026.4.5, Hermes 2026.4.3, mcp-server-go 0.7.4
CVE-2026-26044medium · CVSS 5.5patched

NanoClaw — Apple container privilege escalation

NanoClaw 0.3.x granted excessive entitlements to its container helper process. A local attacker with low-privilege access could escalate to admin via the helper.

Affects: NanoClawPublished: 2026-04-02Versions: 0.3.0 – 0.3.4Fixed in: 0.3.5
CVE-2026-23501low · CVSS 3.7patched

Nanobot — log injection via unescaped tool output

Nanobot wrote tool output verbatim to stdout. An adversarial tool could include ANSI escape codes or terminal control sequences in its output, manipulating the terminal display of the developer running the agent. Cosmetic but in some terminals could obscure security warnings. Fixed by sanitising tool output before logging.

Affects: NanobotPublished: 2026-03-29Versions: 0.1.0 – 0.6.xFixed in: 0.7.0
CVE-2026-24891high · CVSS 7.8patched

OpenClaw — path traversal in file tool

The default file-read tool in OpenClaw 2026.3.x did not normalise relative paths. An agent given a maliciously-crafted path (via prompt injection or otherwise) could read files outside its declared workspace, including SSH keys and credential vaults.

Affects: OpenClawPublished: 2026-03-17Versions: 2026.3.0 – 2026.3.11Fixed in: 2026.3.12
CVE-2026-24447medium · CVSS 6.5patched

ZeroClaw — local network scan via misconfigured iptables rule

ZeroClaw's bundled egress-deny iptables rule allowed RFC1918 destinations by default. A prompt-injected agent could scan the local network for HTTP services. Default policy tightened to loopback-only in 0.5.6.

Affects: ZeroClawPublished: 2026-03-04Versions: 0.5.0 – 0.5.5Fixed in: 0.5.6
CVE-2026-25712high · CVSS 7.2patched

OpenClaw — auth bypass via WebSocket downgrade

Versions 2026.2.10–2026.2.12 introduced the WebSocket origin check from CVE-2026-25253 but did not protect against HTTP/1.0 downgrade. An attacker who could control DNS or perform an HTTP-level downgrade could bypass the origin check. Patched in 2026.2.13.

Affects: OpenClawPublished: 2026-02-21Versions: 2026.2.10 – 2026.2.12Fixed in: 2026.2.13
CVE-2026-25103critical · CVSS 9.1exploited in wildpatched

OpenClaw — credential storage in plaintext on disk

OpenClaw stored API keys for LLM providers in plaintext in ~/.openclaw/credentials.json with mode 644. Any process running under the same user could read the file. The pre-2026.2.10 default tools included an unrestricted file-read tool, making prompt-injection-driven credential exfiltration trivial.

Affects: OpenClawPublished: 2026-02-04Versions: ≤ 2026.2.9Fixed in: 2026.2.10 (with manual key rotation required)
CVE-2026-25253critical · CVSS 9.6exploited in wildpatched

OpenClaw — 1-click RCE via WebSocket origin bypass

OpenClaw's local dashboard accepts WebSocket connections without validating the Origin header. Any web page visited while OpenClaw is running can open the WebSocket and trigger tool execution. With default tools enabled, this is a full RCE.

Affects: OpenClawPublished: 2026-01-25Versions: ≤ 2026.2.9Fixed in: 2026.2.10