CVE-2026-41342
Published: 23 April 2026
Summary
CVE-2026-41342 is a high-severity Origin Validation Error (CWE-346) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires authentication of devices such as gateways before establishing connections, directly preventing spoofing of discovery endpoints during remote onboarding.
Mandates authentication of services like unauthenticated discovery endpoints before use, blocking persistence without explicit trust confirmation.
Enforces authorization and authentication mechanisms for remote access sessions, mitigating redirection to malicious gateways in the onboarding process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables spoofing of unauthenticated discovery endpoints to redirect onboarding to a malicious gateway, directly facilitating an Adversary-in-the-Middle attack for credential or traffic capture.
NVD Description
OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gateway credentials or traffic.
Deeper analysisAI
CVE-2026-41342, published on 2026-04-23, is an authentication bypass vulnerability (CWE-346) rated at CVSS 7.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) affecting OpenClaw versions before 2026.3.28. The flaw resides in the remote onboarding component, where unauthenticated discovery endpoints persist without requiring explicit trust confirmation from users.
An attacker on an adjacent network can exploit this vulnerability with low attack complexity and no required privileges, though user interaction is necessary. By spoofing discovery endpoints, the attacker redirects the onboarding process toward a malicious gateway, allowing capture of gateway credentials or traffic and resulting in high confidentiality and integrity impacts.
Mitigation details are available in the official advisories, including the GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-unauthenticated-discovery-endpoint-credential-exfiltration-via-remote-onboarding. OpenClaw versions 2026.3.28 and later address the issue by enforcing proper trust confirmation for discovery endpoints.
Details
- CWE(s)