CVE-2026-41349
Published: 23 April 2026
Summary
CVE-2026-41349 is a high-severity Missing Authorization (CWE-862) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Stealth (T1211); ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access and operations, directly preventing bypass of consent mechanisms via unauthorized config.patch modifications.
Validates information inputs such as the config.patch parameter to block malicious attempts to disable execution approval.
Establishes and enforces secure configuration settings that prohibit disabling security features like consent checks through parameters.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote low-privileged attackers to bypass consent/approval security controls via the config.patch parameter, directly enabling exploitation for defense evasion (T1211).
NVD Description
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.
Deeper analysisAI
CVE-2026-41349 is an agentic consent bypass vulnerability affecting OpenClaw versions before 2026.3.28. The issue arises from the config.patch parameter, which allows LLM agents to silently disable execution approval mechanisms. This flaw, classified under CWE-862 (Missing Authorization), enables attackers to circumvent security controls designed to require user consent for operations.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. Remote attackers with low privileges (PR:L) can exploit it over the network (AV:N) without user interaction (UI:N). Successful exploitation allows bypassing consent checks to execute unauthorized operations, resulting in high impacts to confidentiality, integrity, and availability.
Mitigation is available in OpenClaw 2026.3.28 and later versions, with the fix implemented in commit 76411b2afc4ae721e36c12e0ea24fd23e2fed61e at https://github.com/openclaw/openclaw/commit/76411b2afc4ae721e36c12e0ea24fd23e2fed61e. Further details on the vulnerability and remediation are provided in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw and the Vulncheck advisory at https://www.vulncheck.com/advisories/openclaw-agentic-consent-bypass-via-config-patch.
This vulnerability holds relevance for deployments involving LLM agents, as it specifically targets consent mechanisms in agentic AI workflows. No public information on real-world exploitation is available in the provided details.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm