OpenClaw CVE-2026-41300

MEDIUM
Incomplete Internal State Distinction (CWE-372)
2026-04-21 [email protected]
Information Disclosure
6.9
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 21, 2026 - 00:40 vuln.today

DescriptionNVD

OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having their discovered URL survive the trust decline process into manual prompts requiring operator acceptance.

AnalysisAI

OpenClaw before version 2026.3.31 fails to properly invalidate attacker-discovered endpoints during trust decline operations in remote onboarding workflows, allowing attackers to route gateway credentials to malicious endpoints by preserving their URLs through the trust decline process into manual operator acceptance prompts. The vulnerability requires user interaction (UI:A) but affects gateway credential confidentiality (VC:H), posing a significant risk to organizations using OpenClaw's remote onboarding feature with CVSS 6.9 (medium-high severity).

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-41300 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy