Skip to main content

OpenClaw CVE-2026-41380

| EUVDEUVD-2026-26089 HIGH
Reliance on Untrusted Inputs in a Security Decision (CWE-807)
2026-04-28 VulnCheck GHSA-p4x4-2r7f-wjxg
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

8
Patch released
May 01, 2026 - 15:51 nvd
Patch available
Patch available
Apr 28, 2026 - 21:01 EUVD
Re-analysis Queued
Apr 28, 2026 - 20:23 vuln.today
cvss_changed
Analysis Generated
Apr 28, 2026 - 20:03 vuln.today
CVSS changed
Apr 28, 2026 - 19:52 NVD
7.3 (HIGH) 7.0 (HIGH)
EUVD ID Assigned
Apr 28, 2026 - 19:30 euvd
EUVD-2026-26089
Analysis Generated
Apr 28, 2026 - 19:30 vuln.today
CVE Published
Apr 28, 2026 - 18:09 nvd
HIGH 7.0

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 npm packages depend on openclaw (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.28.

DescriptionCVE.org

OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can exploit positional carrier executable routing through dispatch wrappers to establish broader allowlist entries than intended, weakening execution approval boundaries.

AnalysisAI

Execution approval bypass in OpenClaw before 2026.3.28 allows local authenticated users with standard privileges to establish overly broad executable allowlist entries through wrapper carrier exploitation. Attackers leverage positional routing in dispatch wrappers to trust carrier executables instead of their invoked targets, escalating from limited execution approval to arbitrary code execution with high confidentiality and integrity impact. Vendor-released patch version 2026.3.28 addresses the flaw (GHSA-p4x4-2r7f-wjxg). No evidence of active exploitation or public POC identified at time of analysis.

Technical ContextAI

This vulnerability exploits a design flaw (CWE-807: Reliance on Untrusted Inputs in a Security Decision) in OpenClaw's execution approval mechanism, specifically in the exec-approvals-allowlist.ts module. The system implements allow-always persistence for executable approval, but incorrectly validates wrapper carrier executables rather than the final target binaries they invoke. When users approve execution through dispatch wrappers (common in script interpreters, shells, or launcher processes), the allowlist records the wrapper's path instead of the actual executable being launched. Subsequent invocations can exploit positional parameters to execute arbitrary payloads under the approved wrapper's trust context. This transforms granular per-executable approval into broad interpreter-level trust, effectively bypassing the security boundary the allowlist was designed to enforce. The CVSS:4.0 vector (AV:L/AC:L/PR:L/UI:P) indicates local attack surface with low complexity, requiring low privileges but user interaction to initially establish the malicious allowlist entry.

RemediationAI

Upgrade to OpenClaw version 2026.3.28 or later, which corrects the allowlist validation logic to trust invoked target executables rather than wrapper carriers (vendor advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-p4x4-2r7f-wjxg). For environments unable to patch immediately: disable the allow-always execution approval feature in exec-approvals-allowlist.ts configuration, requiring per-execution approval for all binaries (trade-off: increased user friction and approval fatigue). Alternatively, audit existing allowlist entries to remove generic wrapper executables (shells, script interpreters, launcher processes) and replace with specific target binary paths, though this requires manual inventory of approved executables and does not prevent future exploitation. Review audit logs for suspicious approval patterns involving wrapper executables followed by diverse child process invocations, which may indicate historical exploitation. Note that disabling allow-always approval impacts usability for legitimate recurring tasks and may require workflow adjustments.

CVE-2026-28446 CRITICAL POC
9.4 Mar 05

Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.

CVE-2026-33579 CRITICAL POC
9.4 Mar 31

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b

CVE-2026-32042 HIGH POC
8.8 Mar 21

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att

CVE-2026-32051 HIGH POC
8.8 Mar 21

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.

CVE-2026-25253 HIGH POC
8.8 Feb 01

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e

CVE-2026-32846 HIGH POC
8.7 Mar 26

Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in

CVE-2026-32064 HIGH POC
7.7 Mar 21

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all

CVE-2026-32055 HIGH POC
7.6 Mar 21

OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director

CVE-2026-32056 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func

CVE-2026-32049 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste

CVE-2026-32048 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low

CVE-2026-25474 HIGH POC
7.5 Feb 19

OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec

Share

CVE-2026-41380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy