Which versions of OpenClaw are affected by CVE-2026-41386?

OpenClaw versions prior to 2026.3.22 contain a critical privilege escalation vulnerability in the device pairing process that allows unauthenticated remote attackers to bypass role restrictions…. A patch is available.

OpenClaw CVE-2026-41386

Q: What is the CVSS score of CVE-2026-41386?

CVE-2026-41386 has a CVSS 4.0 base score of 9.1 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-26095 CRITICAL

Incorrect Use of Privileged APIs (CWE-648)

2026-04-28 VulnCheck

GHSA-gg9v-mgcp-v6m7

Privilege Escalation

9.1

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 28, 2026 - 20:23 vuln.today

cvss_changed

Analysis Generated

Apr 28, 2026 - 20:03 vuln.today

EUVD ID Assigned

Apr 28, 2026 - 19:30 euvd

EUVD-2026-26095

Analysis Generated

Apr 28, 2026 - 19:30 vuln.today

Patch released

Apr 28, 2026 - 19:30 nvd

Patch available

CVE Published

Apr 28, 2026 - 18:09 nvd

CRITICAL 9.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

5 npm packages depend on openclaw (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.22.

DescriptionNVD

OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope.

AnalysisAI

Privilege escalation in OpenClaw allows remote unauthenticated attackers to elevate privileges beyond intended device roles during first-use pairing. The vulnerability stems from bootstrap setup codes lacking proper binding to device roles and scopes, enabling attackers to exploit the pairing process with low complexity and no user interaction. …

RemediationAI

Within 24 hours: Identify all OpenClaw deployments and document current versions; pause new device onboarding until patch is applied. Within 7 days: Apply vendor patch to OpenClaw version 2026.3.22 or later to all affected devices; prioritize new/recently deployed instances. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41386 vulnerability details – vuln.today

Back

OpenClaw CVE-2026-41386

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenClaw CVE-2026-41386

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code