PT-2026-35760 · Openclaw · Openclaw

Antaisecuritylab

Published

2026-04-07

Updated

2026-05-01

CVE-2026-41375

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28

Description An authorization bypass exists in the "/phone arm" and "/phone disarm" endpoints. The system fails to properly enforce operator.admin scope checks for external channels, allowing attackers to arm or disarm phone channels without the required administrative privileges.

Recommendations Update to version 2026.3.28 or later. Restrict access to the "/phone arm" and "/phone disarm" endpoints to minimize the risk of exploitation.

Fix

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-285

Related Identifiers

CVE-2026-41375

GHSA-H2V7-XC88-XX8C

Affected Products

Openclaw

PT-2026-35760 · Openclaw · Openclaw

CVE-2026-41375

Weakness Enumeration

Related Identifiers

Affected Products

References · 8