CVE-2026-41378:

CVE-2026-41378 is a privilege escalation vulnerability in OpenClaw before 2026.3.31 that allows authenticated paired nodes with the `role=node` designation to dispatch `node.event` agent requests with unrestricted gateway-side tool access, enabling remote code execution on the gateway.

Score
A numerical rating that indicates how dangerous this vulnerability is.

8.8High

Published Date:Apr 28, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Exploitability

Score:2.8
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:LOW
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.9
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

Overview

CVE-2026-41378 affects OpenClaw versions prior to 2026.3.31 and stems from a missing authorization check governing how paired nodes with `role=node` may interact with the gateway's agent dispatch system. The gateway fails to restrict which tools can be invoked through `node.event` agent requests submitted by these nodes, meaning any entity possessing trusted paired node credentials can send arbitrarily privileged agent requests. Exploitation of this weakness allows the attacker to escalate from a limited node role to full gateway-level code execution, compromising the confidentiality, integrity, and availability of the gateway environment. The vulnerability carries a CVSSv3.1 score of 8.8 (HIGH) and a CVSS 4.0 score of 7.7 (HIGH).

Remediation

Users should upgrade OpenClaw to version 2026.3.31 or later, which contains the patch addressing this vulnerability as reflected in commit `a77928b1087e90f2a8903f8e5aca6dec9237ac62`. Organizations unable to upgrade immediately should audit and restrict which nodes are granted paired node credentials, enforce network-level controls limiting gateway accessibility, and monitor for anomalous agent dispatch activity originating from paired nodes as a temporary compensating measure.