Skip to content
CVSS 8.2 · HIGH

CVE-2026-41394

OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators.

Ver en NVD

Análisis

OpenClaw is an obscure open-source project with very low adoption in standard web or backend development stacks. Although the vulnerability allows unauthenticated administrative write access, the limited deployment scale makes it less relevant for a general community feed.

Severidad

Puntaje: 8.2(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: LOW
I: HIGH
A: NONE
Tipo de falla (CWE): CWE-862

EPSS

Probabilidad de explotación (próx. 30 días): 0.0007 (0.1%)
Percentil: 20.8%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators.

Publicada: 28/4/2026, 19:37:42
Última modificación: 30/4/2026, 20:45:14

Referencias

InicioEventosBlogRecursosEquipo