PocketClawAI security alerts
Sign in
AI CVE tracker · auto from NVD + CISA KEV

AI agent vulnerabilities, live.

Every disclosed CVE across the AI agents we track. Pulled continuously from NIST NVD, cross-referenced with CISA KEV (exploited-in-wild) and project advisories. Last entry: 2026-04-26 · cron runs every 6h.

13
total CVEs
3
open
2
critical
2
exploited in wild
archive

All disclosed AI CVEs

Get alerts on your stack →
high
CVE-2026-26701sandbox escape via tool definition injection

Hermes Agent's tool loader did not validate sandbox declarations against a schema. A malicious tool definition (loaded from a community marketplace) could declare an empty sandbox block, effectively d

affects: Hermes Agent · CVSS 7.6
2026-04-26high
CVE-2026-25898credential leak via verbose error logs

Verbose error logging in OpenClaw 2026.4.0–2026.4.5 includes API keys when an HTTP 401 is returned by the LLM provider. Logs are written to stdout and may be exfiltrated by any process with read acces

affects: OpenClaw · CVSS 7.4
2026-04-22medium
CVE-2026-22807prompt-injection-resistant audit log incomplete

The OpenClaw 2026.4 audit log records tool calls but did not include the full prompt context that triggered them. A prompt-injection attack could not be reconstructed from logs alone, making forensic

affects: OpenClaw · CVSS 5
2026-04-18medium
CVE-2026-26330IDOR in admin dashboard tenant routing

NitroClaw's admin dashboard URL pattern allowed authenticated users to read other tenants' agent configurations by changing a numeric tenant ID in the URL. No tool execution leakage. Configurations co

affects: NitroClaw · CVSS 5.4 · patched 2026-04-13
2026-04-12medium
CVE-2026-24112XSS in audit log viewer

The IronClaw audit log viewer rendered tool call arguments without HTML escaping. A malicious tool call could inject script tags that executed in the context of an authenticated admin viewing the log.

affects: IronClaw · CVSS 6.1 · patched 2026-04-12
2026-04-08high
CVE-2026-23912tool description spoofing across implementations

A flaw in the way several MCP server implementations handled tool description updates allowed a malicious MCP server to silently rename a tool after handshake. Agents that cached the original tool nam

affects: OpenClaw, Hermes Agent · CVSS 8.1 · patched 2026-04-08
2026-04-03medium
CVE-2026-26044Apple container privilege escalation

NanoClaw 0.3.x granted excessive entitlements to its container helper process. A local attacker with low-privilege access could escalate to admin via the helper.

affects: NanoClaw · CVSS 5.5 · patched 2026-04-04
2026-04-02low
CVE-2026-23501log injection via unescaped tool output

Nanobot wrote tool output verbatim to stdout. An adversarial tool could include ANSI escape codes or terminal control sequences in its output, manipulating the terminal display of the developer runnin

affects: Nanobot · CVSS 3.7 · patched 2026-04-01
2026-03-29high
CVE-2026-24891path traversal in file tool

The default file-read tool in OpenClaw 2026.3.x did not normalise relative paths. An agent given a maliciously-crafted path (via prompt injection or otherwise) could read files outside its declared wo

affects: OpenClaw · CVSS 7.8 · patched 2026-03-19
2026-03-17medium
CVE-2026-24447local network scan via misconfigured iptables rule

ZeroClaw's bundled egress-deny iptables rule allowed RFC1918 destinations by default. A prompt-injected agent could scan the local network for HTTP services. Default policy tightened to loopback-only

affects: ZeroClaw · CVSS 6.5 · patched 2026-03-06
2026-03-04high
CVE-2026-25712auth bypass via WebSocket downgrade

Versions 2026.2.10–2026.2.12 introduced the WebSocket origin check from CVE-2026-25253 but did not protect against HTTP/1.0 downgrade. An attacker who could control DNS or perform an HTTP-level downgr

affects: OpenClaw · CVSS 7.2 · patched 2026-02-23
2026-02-21critical
CVE-2026-25103credential storage in plaintext on disk

OpenClaw stored API keys for LLM providers in plaintext in ~/.openclaw/credentials.json with mode 644. Any process running under the same user could read the file. The pre-2026.2.10 default tools incl

affects: OpenClaw · CVSS 9.1 · ⚠ exploited in wild · patched 2026-02-08
2026-02-04critical
CVE-2026-252531-click RCE via WebSocket origin bypass

OpenClaw's local dashboard accepts WebSocket connections without validating the Origin header. Any web page visited while OpenClaw is running can open the WebSocket and trigger tool execution. With de

affects: OpenClaw · CVSS 9.6 · ⚠ exploited in wild · patched 2026-01-27
2026-01-25
also on PocketClaw

More AI security tools

AI agents trackerOpenClaw, Hermes, Nanobot…AI hardwarehosts we benchmarkedAI providersOpenRouter, Anthropic, OpenAI…AI guideslong-form audits + playbooksAI comparisonsside-by-side breakdownsAI glossaryevery term, defined