CVE-2026-41344 MEDIUM

CVE-2026-41344: OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter

Vendor Openclaw

Product OpenClaw

Weakness CWE-863 · Incorrect authorization

Published April 23, 2026

Last update April 24, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.

Key dates

02Disclosure timeline

April 23, 2026 CVE published

April 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41344 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

04Related CVE

CVE-2022-34397 CVE-2023-37492 Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform CVE-2026-3573 AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028 CVE-2025-20381 SPL commands allowlist controls bypass in Splunk MCP Server app through "run_splunk_query" MCP tool CVE-2025-9376 Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection <= 11.58 - Insufficient Authorization to Unauthenticated Blocklist Bypass