CVE-2026-41352
Published: 23 April 2026
Summary
CVE-2026-41352 is a high-severity Missing Authorization (CWE-862) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 35.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-3 (Device Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to system resources, directly preventing device-paired nodes from bypassing the node scope gate to execute arbitrary commands.
Requires unique identification and authentication of devices before establishing remote connections, mitigating the failure in node pairing validation.
Mandates timely identification, reporting, and correction of system flaws, enabling patching to OpenClaw 2026.3.31 to remediate the missing authorization vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote code execution vulnerability in node scope gate authentication mechanism allows low-privilege remote attackers to bypass authorization and execute arbitrary commands on the host, directly enabling T1210: Exploitation of Remote Services.
NVD Description
OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.
Deeper analysisAI
CVE-2026-41352 is a remote code execution vulnerability (CWE-862: Missing Authorization) affecting OpenClaw versions prior to 2026.3.31. The flaw exists in the node scope gate authentication mechanism, which fails to properly validate node pairing. This allows a device-paired node to bypass authentication and execute arbitrary commands on the host system. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-23.
Attackers who possess device pairing credentials can exploit this vulnerability remotely with low complexity and low privileges required, without user interaction. Successful exploitation enables execution of arbitrary node commands on the host system, potentially leading to high confidentiality, integrity, and availability impacts, such as full system compromise.
Mitigation is addressed in OpenClaw version 2026.3.31 and later, as detailed in the upstream patch commit (3886b65ef21d02808c1a106fa1f9f69e22f71c32) and the GitHub security advisory (GHSA-xj9w-5r6q-x6v4). Security practitioners should update affected installations promptly, with additional details available in the Vulncheck advisory.
Details
- CWE(s)