Which versions of OpenClaw are affected by CVE-2026-41378?

OpenClaw gateway versions before 2026.3.31 contain a remote code execution vulnerability that allows paired nodes with low-privilege credentials to execute arbitrary code on the gateway through…. A patch is available.

How to fix or mitigate CVE-2026-41378?

Within 24 hours: Identify all OpenClaw gateway instances and document current versions in use. Within 7 days: Upgrade all OpenClaw gateways to version 2026.3.31 or later. Within 30 days: Audit paired node credentials and implement network segmentation to restrict node-to-gateway communication to trusted infrastructure only.

OpenClaw CVE-2026-41378

Q: What is the CVSS score of CVE-2026-41378?

CVE-2026-41378 has a CVSS 4.0 base score of 7.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.2%.

EUVD-2026-26087 HIGH

Missing Authorization (CWE-862)

2026-04-28 VulnCheck

GHSA-gjm7-hw8f-73rq

Authentication Bypass Privilege Escalation RCE

7.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 28, 2026 - 20:23 vuln.today

cvss_changed

Analysis Generated

Apr 28, 2026 - 20:02 vuln.today

CVSS changed

Apr 28, 2026 - 19:52 NVD

8.8 (HIGH) 7.7 (HIGH)

EUVD ID Assigned

Apr 28, 2026 - 19:30 euvd

EUVD-2026-26087

Analysis Generated

Apr 28, 2026 - 19:30 vuln.today

Patch released

Apr 28, 2026 - 19:30 nvd

Patch available

CVE Published

Apr 28, 2026 - 18:09 nvd

HIGH 7.7

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on openclaw (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.31.

DescriptionNVD

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted agent.request dispatch to achieve remote code execution on the gateway.

AnalysisAI

Remote code execution in OpenClaw gateway versions before 2026.3.31 allows attackers with trusted paired node credentials (role=node) to escalate privileges and execute arbitrary code on the gateway by abusing unrestricted agent.request dispatch functionality. The vulnerability stems from insufficient access controls on node.event agent requests, enabling low-privilege paired nodes to invoke gateway-side tools without restriction. …

RemediationAI

Within 24 hours: Identify all OpenClaw gateway instances and document current versions in use. Within 7 days: Upgrade all OpenClaw gateways to version 2026.3.31 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41378 vulnerability details – vuln.today

Back

OpenClaw CVE-2026-41378

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenClaw CVE-2026-41378

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code