CVE-2026-41406 LOW

CVE-2026-41406: OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages

Vendor Openclaw
Product OpenClaw
Weakness CWE-639 · IDOR
Published April 28, 2026
Last update April 29, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread context messages to bypass sender allowlist restrictions and retrieve unauthorized content.

Key dates

02Disclosure timeline

April 28, 2026 CVE published
April 29, 2026 Record updated