CVE-2026-41299

CVSS v3.1

7.1

High

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Summary

ACP-only provenance fields in chat.send were gated by self-declared client metadata from the WebSocket handshake rather than verified authorization state.

Impact

A normal authenticated operator client could spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge.

Affected Component

src/gateway/server-methods/chat.ts, src/gateway/server/ws-connection/message-handler.ts

Fixed Versions

Affected: <= 2026.3.24
Patched: >= 2026.3.28
Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 4b9542716c (Gateway: require verified scope for chat provenance).

Fix

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-807CWE-290

Related Identifiers

CVE-2026-41299

GHSA-6XG4-82HV-CP6F

Affected Products

Openclaw

CVE-2026-41299

Summary

Impact

Affected Component

Fixed Versions

Fix

Weakness Enumeration

Related Identifiers

Affected Products

References · 6