Cyber Resilience

CVE-2026-41342

HighPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 2.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41342 is a high-severity Origin Validation Error (CWE-346) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and IA-3 (Device Identification and Authentication).

Deeper analysis

CVE-2026-41342, published on 2026-04-23, is an authentication bypass vulnerability (CWE-346) rated at CVSS 7.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) affecting OpenClaw versions before 2026.3.28. The flaw resides in the remote onboarding component, where unauthenticated discovery endpoints persist without requiring explicit trust confirmation from users.

An attacker on an adjacent network can exploit this vulnerability with low attack complexity and no required privileges, though user interaction is necessary. By spoofing discovery endpoints, the attacker redirects the onboarding process toward a malicious gateway, allowing capture of gateway credentials or traffic and resulting in high confidentiality and integrity impacts.

Mitigation details are available in the official advisories, including the GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-3cw3-5vxw-g2h3 and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-unauthenticated-discovery-endpoint-credential-exfiltration-via-remote-onboarding. OpenClaw versions 2026.3.28 and later address the issue by enforcing proper trust confirmation for discovery endpoints.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gateway credentials or traffic.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

The vulnerability enables spoofing of unauthenticated discovery endpoints to redirect onboarding to a malicious gateway, directly facilitating an Adversary-in-the-Middle attack for credential or traffic capture.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32302Same product: Openclaw Openclaw
CVE-2026-32924Same product: Openclaw Openclaw
CVE-2026-27523Same product: Openclaw Openclaw
CVE-2026-28463Same product: Openclaw Openclaw
CVE-2026-43573Same product: Openclaw Openclaw
CVE-2026-32914Same product: Openclaw Openclaw
CVE-2026-28470Same product: Openclaw Openclaw
CVE-2026-28392Same product: Openclaw Openclaw
CVE-2026-35663Same product: Openclaw Openclaw
CVE-2026-41347Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.28

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires authentication of devices such as gateways before establishing connections, directly preventing spoofing of discovery endpoints during remote onboarding.

prevent

Mandates authentication of services like unauthenticated discovery endpoints before use, blocking persistence without explicit trust confirmation.

prevent

Enforces authorization and authentication mechanisms for remote access sessions, mitigating redirection to malicious gateways in the onboarding process.

References