What is CVE-2026-41392?

CVE-2026-41392 is a medium-severity vulnerability in Openclaw, classified under Incomplete List of Disallowed Inputs. CVSS score: 6.7/10. Published 2026-04-28.

How severe is CVE-2026-41392?

Medium severity. CVSS v3 base score is 6.7 out of 10.

Vulnerability in Openclaw

CVE-2026-41392

OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options like --rcfile, --init-file, and --startup-…

EPSS: 0.000 (7.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.7 (Medium). Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H.

Affected products

Openclaw — versions 0, 2026.3.31

Weakness classification (CWE)

CWE-184 — Incomplete List of Disallowed Inputs

References

GitHub Security Advisory (GHSA-wpc6-37g7-8q4w) (vendor-advisory, Vendor Advisory)
Patch Commit (Patch, patch)
VulnCheck Advisory: OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options (Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-41392?: CVE-2026-41392 is a medium-severity vulnerability in Openclaw, classified under Incomplete List of Disallowed Inputs. CVSS score: 6.7/10. Published 2026-04-28.
How severe is CVE-2026-41392?: Medium severity. CVSS v3 base score is 6.7 out of 10.