Skip to content
CVSS 8.5 · HIGH

CVE-2026-41371

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin scope by exploiting improper authorization checks in the chat.send path.

Ver en NVD

Análisis

OpenClaw appears to be a specialized chat orchestration or integration tool with limited widespread adoption in the general dev ecosystem. While a privilege escalation from write-scope to admin-scope is a serious high-severity bug (CVSS 8.5), the tool's niche status doesn't meet the threshold for a broad community alert in the absence of active exploitation.

Severidad

Puntaje: 8.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: CHANGED
C: NONE
I: HIGH
A: LOW
Tipo de falla (CWE): CWE-863

EPSS

Probabilidad de explotación (próx. 30 días): 0.0004 (0.0%)
Percentil: 12.5%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin scope by exploiting improper authorization checks in the chat.send path.

Publicada: 28/4/2026, 0:16:26
Última modificación: 28/4/2026, 18:44:10

Referencias

InicioEventosBlogRecursosEquipo