What is CVE-2026-41349?

CVE-2026-41349 is a high-severity vulnerability in Openclaw, classified under Missing Authorization. CVSS score: 8.8/10. Published 2026-04-23.

How severe is CVE-2026-41349?

High severity. CVSS v3 base score is 8.8 out of 10.

Auth bypass in Openclaw

CVE-2026-41349

OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute una…

Vulnerability class: Broken Access Control

EPSS: 0.001 (33.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected products

Openclaw — versions 0, 2026.3.28

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

GitHub Security Advisory (GHSA-v3qc-wrwx-j3pw) (vendor-advisory, Patch, Vendor Advisory)
Patch Commit (Patch, patch)
VulnCheck Advisory: OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-41349?: CVE-2026-41349 is a high-severity vulnerability in Openclaw, classified under Missing Authorization. CVSS score: 8.8/10. Published 2026-04-23.
How severe is CVE-2026-41349?: High severity. CVSS v3 base score is 8.8 out of 10.