PT-2026-34780 · Openclaw · Openclaw
Edward-X
·
Published
2026-04-23
·
Updated
2026-04-25
·
CVE-2026-41349
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.28
Description
An agentic consent bypass allows LLM agents to silently disable execution approval. Remote attackers can exploit this by using the
config.patch parameter to bypass security controls and execute unauthorized operations without user consent.Recommendations
Update to version 2026.3.28 or later.
Avoid using the
config.patch parameter until the update is applied.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw