What is CVE-2026-41348?

CVE-2026-41348 is a medium-severity vulnerability in Openclaw, classified under Incorrect Authorization. CVSS score: 5.4/10. Published 2026-04-23.

How severe is CVE-2026-41348?

Medium severity. CVSS v3 base score is 5.4 out of 10.

Auth bypass in Openclaw

CVE-2026-41348

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions…

Vulnerability class: Broken Access Control

EPSS: 0.000 (10.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N.

Affected products

Openclaw — versions 0, 2026.3.31

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

GitHub Security Advisory (GHSA-rvvf-6vh3-9j43) (vendor-advisory, Vendor Advisory)
Patch Commit (Patch, patch)
VulnCheck Advisory: OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-41348?: CVE-2026-41348 is a medium-severity vulnerability in Openclaw, classified under Incorrect Authorization. CVSS score: 5.4/10. Published 2026-04-23.
How severe is CVE-2026-41348?: Medium severity. CVSS v3 base score is 5.4 out of 10.