Skip to content
CVSS 8.8 · HIGH

CVE-2026-41349

OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.

Ver en NVD

Análisis

The vulnerability affects OpenClaw, an LLM agent framework, allowing agents to bypass execution approvals and perform unauthorized operations. While the high severity is notable, OpenClaw is not a core part of the standard web or backend development stack used by the community.

Severidad

Puntaje: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-862

EPSS

Probabilidad de explotación (próx. 30 días): 0.0012 (0.1%)
Percentil: 30.1%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.

Publicada: 23/4/2026, 22:16:41
Última modificación: 29/4/2026, 14:40:45

Referencias

InicioEventosBlogRecursosEquipo