CVE-2026-41386:

CVE-2026-41386 is a critical privilege escalation vulnerability in OpenClaw before version 2026.3.22, where bootstrap setup codes are not bound to intended device roles and scopes during pairing, allowing unauthenticated network attackers to escalate privileges during first-use device pairing.

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.1Critical

Published Date:Apr 28, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:5.2
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:NONE

Description Preview

Overview

CVE-2026-41386 affects OpenClaw versions prior to 2026.3.22 and represents a critical privilege escalation flaw rooted in improper binding of bootstrap setup codes during device pairing. When a device undergoes its initial pairing sequence, the setup codes that govern role and scope assignment are not adequately constrained, enabling a remote, unauthenticated attacker to exploit the pairing process and obtain elevated privileges beyond their authorized level. The vulnerability is network-exploitable with low attack complexity, requires no prior privileges or user interaction, and results in high confidentiality and integrity impact to the affected system. It is classified under CWE-648 (Incorrect Use of Privileged APIs) and carries a CVSS v3.1 and CVSS v4.0 base score of 9.1 (Critical).

Remediation

Users and administrators of OpenClaw should upgrade to version 2026.3.22 or later, which addresses the improper binding of bootstrap setup codes to device roles and scopes during pairing. The fix is available via the commit referenced in the project's GitHub repository. Organizations should treat first-use device pairing windows as security-sensitive periods and restrict network access to pairing interfaces where possible until patching is completed.