What is CVE-2026-41347?

CVE-2026-41347 is a high-severity vulnerability in Openclaw, classified under Cross-Site Request Forgery (CSRF). CVSS score: 7.1/10. Published 2026-04-23.

How severe is CVE-2026-41347?

High severity. CVSS v3 base score is 7.1 out of 10.

CSRF in Openclaw

CVE-2026-41347

OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests from a browser…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.000 (4.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.

Affected products

Openclaw — versions 0, 2026.3.31

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

References

GitHub Security Advisory (GHSA-mhr7-2xmv-4c4q) (vendor-advisory, Vendor Advisory)
Patch Commit (Patch, patch)
VulnCheck Advisory: OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-41347?: CVE-2026-41347 is a high-severity vulnerability in Openclaw, classified under Cross-Site Request Forgery (CSRF). CVSS score: 7.1/10. Published 2026-04-23.
How severe is CVE-2026-41347?: High severity. CVSS v3 base score is 7.1 out of 10.