{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-41394", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T14:13:45.349Z", "datePublished": "2026-04-28T18:09:54.214Z", "dateUpdated": "2026-04-28T18:09:54.214Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-28T18:09:54.214Z" }, "title": "OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes", "descriptions": [ { "lang": "en", "value": "OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes without authentication to perform privileged runtime actions intended for authorized operators." } ], "tags": [ "x_open-source" ], "datePublic": "2026-03-31T00:00:00.000Z", "problemTypes": [ { "descriptions": [ { "lang": "en", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "type": "CWE" } ] } ], "affected": [ { "vendor": "OpenClaw", "product": "OpenClaw", "defaultStatus": "unaffected", "packageURL": "pkg:npm/openclaw", "versions": [ { "version": "0", "status": "affected", "versionType": "semver", "lessThan": "2026.3.31" }, { "version": "2026.3.31", "status": "unaffected", "versionType": "semver" } ] } ], "cpeApplicability": [ { "nodes": [ { "operator": "OR", "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.3.31" } ] } ] } ], "metrics": [ { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV4_0": { "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N" } }, { "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ], "cvssV3_1": { "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" } } ], "references": [ { "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66", "name": "GitHub Security Advisory (GHSA-mhgq-xpfq-6r66)", "tags": [ "vendor-advisory" ] }, { "url": "https://github.com/openclaw/openclaw/commit/2a1db0c0f1fa375004a95ba0ef030534790a6d47", "name": "Patch Commit", "tags": [ "patch" ] }, { "name": "VulnCheck Advisory: OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes", "tags": [ "third-party-advisory" ], "url": "https://www.vulncheck.com/advisories/openclaw-unauthorized-operator-scope-access-in-unauthenticated-plugin-auth-routes" } ], "credits": [ { "lang": "en", "value": "davidluzsilva", "type": "reporter" } ], "x_generator": { "engine": "vulncheck" } } } }