Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.31.
DescriptionCVE.org
OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators.
AnalysisAI
Authentication bypass in OpenClaw allows remote unauthenticated attackers to execute privileged runtime operations intended for authorized operators. The vulnerability exists in plugin-auth HTTP routes that incorrectly grant operator-level write scopes without authentication checks. Attackers can remotely exploit this flaw with low complexity (CVSS:4.0 AV:N/AC:L/PR:N) to modify runtime configurations and perform administrative actions. Vendor-released patch available as of commit 2a1db0c (March 31, 2026). No active exploitation confirmed in CISA KEV, though EPSS data unavailable for risk calibration.
Technical ContextAI
OpenClaw is an application platform with a plugin architecture that uses HTTP-based authentication routes for operator access control. The vulnerability stems from CWE-862 (Missing Authorization), where certain plugin-auth endpoints fail to enforce authentication requirements before granting elevated runtime scopes. In privilege management systems, scopes define the boundaries of what authenticated sessions can access-here, operator write scopes control runtime modifications and administrative operations. The affected CPE (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) indicates all versions prior to the 2026.3.31 release are vulnerable. The CVSS 4.0 vector shows network-accessible exploitation (AV:N) with low attack complexity (AT:N) requiring no privileges (PR:N) or user interaction (UI:N), yielding high integrity impact (VI:H) to the vulnerable system while limiting confidentiality impact (VC:L) and causing no availability disruption (VA:N).
RemediationAI
Upgrade to OpenClaw version 2026.3.31 or later, which contains the authentication enforcement fix implemented in commit 2a1db0c0f1fa375004a95ba0ef030534790a6d47 (https://github.com/openclaw/openclaw/commit/2a1db0c0f1fa375004a95ba0ef030534790a6d47). Review the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66 for vendor-specific upgrade guidance. For environments unable to immediately patch, implement network-based access controls to restrict plugin-auth route access to trusted IP ranges or internal networks only-configure reverse proxy or firewall rules to block external access to paths matching /plugin-auth/* or equivalent endpoints (verify exact paths in OpenClaw documentation). Note this workaround reduces attack surface but does not eliminate risk from internal threats or compromised trusted networks. Additionally, audit existing runtime configurations for unauthorized modifications made prior to patching, as attackers may have already leveraged the bypass to inject persistent malicious settings. Compensating controls carry the trade-off of limiting legitimate remote operator access, requiring VPN or bastion host connectivity for authorized administrators.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26102