Agents
OpenClaw 9 CVEs in 4 Days: 9.9 Critical Lets Authenticated Users Self-Declare Admin Scopes — Tracker Hits 156 Total Advisories
Between March 18-21, nine CVEs dropped for OpenClaw including a 9.9 CVSS critical where authenticated users could declare their own admin scopes during WebSocket handshake (CVE-2026-29607) and a complete allowlist bypass via shell line-continuation characters (CVE-2026-28460). The jgamblin/OpenClawCVEs tracker now lists 156 total security advisories with 128 still awaiting CVE assignment. Patches were same-day or next-day, but the disclosure velocity — nine in four days — signals systemic architectural debt in the fastest-growing agent runtime.
Source
↳ Follow the thread