CVE-2026-41380

CVSS v3.1

7.3

High

Vector

AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28

Description An execution approval issue exists in exec-approvals-allowlist.ts where allow-always persistence trusts wrapper carrier executables instead of the actual invoked targets. This allows attackers to use positional carrier executable routing through dispatch wrappers to create broader allowlist entries than intended, which weakens execution approval boundaries.

Recommendations Update to version 2026.3.28.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-807CWE-863

Related Identifiers

CVE-2026-41380

GHSA-P4X4-2R7F-WJXG

Affected Products

Openclaw

CVE-2026-41380

Weakness Enumeration

Related Identifiers

Affected Products

References · 9