Skip to content
CVSS 8.8 · HIGH

CVE-2026-41352

OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.

View on NVD

Analysis

OpenClaw is a niche project not widely recognized as part of the standard web or mobile development stack. While the vulnerability allows remote code execution through an authentication bypass, the limited adoption of the software among the community does not justify an alert.

Severity

Score: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-862

EPSS

Probability of exploitation (next 30 days): 0.0035 (0.4%)
Percentile: 57.7%
EPSS: 2026-05-06

Affects

openclaw:openclaw

Technical description

OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.

Published: 4/23/2026, 10:16:42 PM
Last modified: 4/28/2026, 6:54:57 PM

References

HomeEventsBlogResourcesTeam