CVE-2026-41394:

OpenClaw before 2026.3.31 contains an authentication bypass vulnerability (CWE-862) that allows unauthenticated users to access plugin-auth HTTP routes with operator runtime write scopes, enabling unauthorized privileged actions.

Score
A numerical rating that indicates how dangerous this vulnerability is.

8.2High

Published Date:Apr 28, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:4.2
Confidentiality Impact:LOW
Integrity Impact:HIGH
Availability Impact:NONE

Description Preview

Overview

OpenClaw before 2026.3.31 suffers from a missing authorization flaw in its plugin-auth HTTP route handling. These routes, which are accessible without authentication, are improperly scoped with operator-level runtime write permissions. As a result, any unauthenticated network-accessible attacker can invoke privileged runtime actions that should be restricted to authenticated operators. The attack requires no prior access, no user interaction, and no complex preconditions, making it trivially exploitable from any network location with access to the OpenClaw service. The primary risk is unauthorized modification of runtime state with a secondary risk of limited information disclosure.

Remediation

Users of OpenClaw should upgrade to version 2026.3.31 or later, which addresses this vulnerability by ensuring that plugin-auth HTTP routes no longer receive operator runtime write scopes without proper authentication. Organizations that cannot immediately upgrade should consider implementing network-level controls such as firewall rules or reverse proxy authentication to restrict access to the affected routes until a patch can be applied. The fix is available via the commit referenced in the official GitHub repository.