OpenClaw CVE-2026-41406

EUVD-2026-26113 LOW

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-04-28 VulnCheck

2.3

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 28, 2026 - 20:08 vuln.today

Severity Changed

Apr 28, 2026 - 19:52 NVD

MEDIUM LOW

CVSS changed

Apr 28, 2026 - 19:52 NVD

5.4 (MEDIUM) 2.3 (LOW)

DescriptionNVD

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread context messages to bypass sender allowlist restrictions and retrieve unauthorized content.

AnalysisAI

OpenClaw before version 2026.3.31 contains a sender allowlist bypass vulnerability allowing remote attackers to access restricted messages by exploiting quoted, root, and thread context message retrieval mechanisms. The vulnerability affects default configurations and requires user interaction (CVSS UI:P), making it a moderate-risk authentication bypass that undermines message access controls.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41406 vulnerability details – vuln.today

Back