CVE-2026-41352

HighPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute arbitrary node commands on the host system without proper node pairing validation.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to system resources, directly preventing device-paired nodes from bypassing the node scope gate to execute arbitrary commands.

IA-3 Device Identification and Authentication good match

prevent

Requires unique identification and authentication of devices before establishing remote connections, mitigating the failure in node pairing validation.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of system flaws, enabling patching to OpenClaw 2026.3.31 to remediate the missing authorization vulnerability.

Security SummaryAI

CVE-2026-41352 is a remote code execution vulnerability (CWE-862: Missing Authorization) affecting OpenClaw versions prior to 2026.3.31. The flaw exists in the node scope gate authentication mechanism, which fails to properly validate node pairing. This allows a device-paired node to bypass authentication and execute arbitrary commands on the host system. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-04-23.

Attackers who possess device pairing credentials can exploit this vulnerability remotely with low complexity and low privileges required, without user interaction. Successful exploitation enables execution of arbitrary node commands on the host system, potentially leading to high confidentiality, integrity, and availability impacts, such as full system compromise.

Mitigation is addressed in OpenClaw version 2026.3.31 and later, as detailed in the upstream patch commit (3886b65ef21d02808c1a106fa1f9f69e22f71c32) and the GitHub security advisory (GHSA-xj9w-5r6q-x6v4). Security practitioners should update affected installations promptly, with additional details available in the Vulncheck advisory.

Details

CWE(s): CWE-862

Affected Products

openclaw

≤ 2026.3.31

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Remote code execution vulnerability in node scope gate authentication mechanism allows low-privilege remote attackers to bypass authorization and execute arbitrary commands on the host, directly enabling T1210: Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/openclaw/openclaw/commit/3886b65ef21d02808c1a106fa1f9f69e22f71c32
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-xj9w-5r6q-x6v4
Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-remote-code-execution-via-node-scope-gate-bypass
Third Party Advisory · disclosure@vulncheck.com