Skip to content
CVSS 7.1 · HIGH

CVE-2026-41359

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.

Ver en NVD

Análisis

OpenClaw is a niche automation or gaming-related project not commonly found in professional web or backend development stacks. The vulnerability is a privilege escalation that requires existing operator credentials, making it less of a systemic risk to the broader community.

Severidad

Puntaje: 7.1(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: LOW
I: HIGH
A: NONE
Tipo de falla (CWE): CWE-269

EPSS

Probabilidad de explotación (próx. 30 días): 0.0003 (0.0%)
Percentil: 7.4%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.

Publicada: 23/4/2026, 22:16:43
Última modificación: 29/4/2026, 13:44:19

Referencias

InicioEventosBlogRecursosEquipo