CVSS 5.4 · MEDIUM
CVE-2026-41344
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.
Ver en NVDSeveridad
Puntaje: 5.4(MEDIUM)
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NAV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: LOW
I: LOW
A: NONE
Tipo de falla (CWE):
CWE-863EPSS
Probabilidad de explotación (próx. 30 días): 0.0006 (0.1%)
Percentil: 17.5%
EPSS: 2026-05-06
Afecta
openclaw:openclawDescripción técnica
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose parameter to bypass access controls and expose sensitive reasoning or tool output intended to be restricted to administrators.
Publicada: 23/4/2026, 22:16:40
Última modificación: 29/4/2026, 15:52:05