CVE-2026-41394 HIGH

CVE-2026-41394: OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes

Vendor Openclaw

Product OpenClaw

Weakness CWE-862 · Missing authorization

Published April 28, 2026

Last update April 30, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators.

Key dates

02Disclosure timeline

April 28, 2026 CVE published

April 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41394 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2026-25415 WordPress WPBookit Pro plugin <= 1.6.18 - Broken Access Control vulnerability CVE-2026-1937 YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action CVE-2022-4169 Theme and plugin translation for Polylang <= 3.2.16 - Missing Authorization CVE-2024-25908 WordPress WP Media folder plugin <= 5.7.2 - Subscriber+ Arbitrary Post/Page Modification vulnerability CVE-2024-2848 Responsive <= 5.0.2 - Missing Authorization to HTML Injection