CVE-2026-41379

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28

Description Authenticated operators with write permissions can escalate privileges to access admin-class Talk Voice configuration persistence. This is possible by exploiting the 'chat.send' endpoint to reach and modify sensitive voice configuration settings intended exclusively for administrators.

Recommendations Update to version 2026.3.28 or later. Restrict access to the 'chat.send' endpoint for users with operator.write privileges to minimize the risk of exploitation.

Fix

LPE

Incorrect Authorization

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-269

Related Identifiers

CVE-2026-41379

GHSA-3Q42-XMXV-9VFR

Affected Products

Openclaw

CVE-2026-41379

Weakness Enumeration

Related Identifiers

Affected Products

References · 8