CVE-2026-41349 HIGH

CVE-2026-41349: OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch

Vendor Openclaw

Product OpenClaw

Weakness CWE-862 · Missing authorization

Published April 23, 2026

Last update April 24, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.

Key dates

02Disclosure timeline

April 23, 2026 CVE published

April 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41349

Related vulnerabilities

04Related CVE

CVE-2025-52766 WordPress Printeers Print & Ship plugin <= 1.17.0 - Broken Access Control vulnerability CVE-2025-67577 WordPress Easy Form Builder plugin <= 3.8.20 - Broken Access Control vulnerability CVE-2025-67563 WordPress Post SMTP plugin <= 3.6.1 - Broken Access Control vulnerability CVE-2023-41951 WordPress rtMedia for WordPress, BuddyPress and bbPress plugin <= 4.6.14 - Broken Access Control vulnerability CVE-2025-69186 WordPress Hospital Doctor Directory plugin <= 1.3.9 - Broken Access Control vulnerability