CVE-2026-41349

HighPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access and operations, directly preventing bypass of consent mechanisms via unauthorized config.patch modifications.

SI-10 Information Input Validation good match

prevent

Validates information inputs such as the config.patch parameter to block malicious attempts to disable execution approval.

CM-6 Configuration Settings partial match

prevent

Establishes and enforces secure configuration settings that prohibit disabling security features like consent checks through parameters.

Security SummaryAI

CVE-2026-41349 is an agentic consent bypass vulnerability affecting OpenClaw versions before 2026.3.28. The issue arises from the config.patch parameter, which allows LLM agents to silently disable execution approval mechanisms. This flaw, classified under CWE-862 (Missing Authorization), enables attackers to circumvent security controls designed to require user consent for operations.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. Remote attackers with low privileges (PR:L) can exploit it over the network (AV:N) without user interaction (UI:N). Successful exploitation allows bypassing consent checks to execute unauthorized operations, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation is available in OpenClaw 2026.3.28 and later versions, with the fix implemented in commit 76411b2afc4ae721e36c12e0ea24fd23e2fed61e at https://github.com/openclaw/openclaw/commit/76411b2afc4ae721e36c12e0ea24fd23e2fed61e. Further details on the vulnerability and remediation are provided in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw and the Vulncheck advisory at https://www.vulncheck.com/advisories/openclaw-agentic-consent-bypass-via-config-patch.

This vulnerability holds relevance for deployments involving LLM agents, as it specifically targets consent mechanisms in agentic AI workflows. No public information on real-world exploitation is available in the provided details.

Details

CWE(s): CWE-862

Affected Products

openclaw

≤ 2026.3.28

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: llm

MITRE ATT&CK Enterprise TechniquesAI

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote low-privileged attackers to bypass consent/approval security controls via the config.patch parameter, directly enabling exploitation for defense evasion (T1211).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/openclaw/openclaw/commit/76411b2afc4ae721e36c12e0ea24fd23e2fed61e
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pw
Vendor Advisory, Patch · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-agentic-consent-bypass-via-config-patch
Third Party Advisory · disclosure@vulncheck.com