CVE-2026-41394
Published: 28 April 2026
Summary
CVE-2026-41394 is a high-severity Missing Authorization (CWE-862) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly identifies and limits actions permissible without identification or authentication, directly preventing privileged operator runtime write scopes on unauthenticated plugin-auth HTTP routes.
AC-3 enforces approved authorizations for access to system resources, blocking unauthenticated attackers from performing privileged runtime actions via vulnerable HTTP routes.
AC-6 applies least privilege to ensure operator runtime write scopes are granted only to authorized entities, reducing the impact of authentication bypass on plugin-auth routes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in unauthenticated HTTP routes of a network-accessible service directly enables initial access by exploiting a public-facing application.
NVD Description
OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators.
Deeper analysisAI
CVE-2026-41394 is an authentication bypass vulnerability affecting OpenClaw versions prior to 2026.3.31. The issue arises in unauthenticated plugin-auth HTTP routes, which incorrectly grant operator runtime write scopes. This allows attackers to access these routes without authentication and perform privileged runtime actions intended exclusively for authorized operators. The vulnerability is rated with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N) and is associated with CWE-862 (Missing Authorization).
Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. By targeting the affected HTTP routes, they can achieve high-impact integrity violations, such as executing unauthorized operator-level runtime modifications, while causing low confidentiality impact and no availability disruption. The unchanged scope indicates exploitation remains within the vulnerable component.
Mitigation details are available in official advisories and the fixing commit. The GitHub security advisory (GHSA-mhgq-xpfq-6r66) and the patch commit (2a1db0c0f1fa375004a95ba0ef030534790a6d47) address the issue in OpenClaw 2026.3.31, with additional analysis in the Vulncheck advisory on unauthorized operator scope access in plugin-auth routes. Security practitioners should upgrade to version 2026.3.31 or later and review these references for implementation specifics.
Details
- CWE(s)