Skip to content
CVSS 8.8 · HIGH

CVE-2026-41378

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted agent.request dispatch to achieve remote code execution on the gateway.

Ver en NVD

Análisis

OpenClaw is an obscure automation or orchestration tool not commonly used in the community's primary software stack. While it allows privilege escalation to remote code execution, the impact is confined to a niche product and requires the attacker to already possess trusted node credentials.

Severidad

Puntaje: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-862

EPSS

Probabilidad de explotación (próx. 30 días): 0.0025 (0.2%)
Percentil: 47.9%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted agent.request dispatch to achieve remote code execution on the gateway.

Publicada: 28/4/2026, 19:37:40
Última modificación: 1/5/2026, 15:51:15

Referencias

InicioEventosBlogRecursosEquipo