CVE-2026-41349

HIGH CVSS 8.8 View on NVD ↗

Description

OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/openclaw/openclaw/commit/76411b2afc4ae721e36c12e0ea24fd23e2fed61e
https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw
https://www.vulncheck.com/advisories/openclaw-agentic-consent-bypass-via-config-patch

Published: Apr 23, 2026 22:16 UTC Modified: Apr 24, 2026 14:40 UTC