PT-2026-39680 · Openclaw · Openclaw

Keensecuritylab

·

Published

2026-04-29

·

Updated

2026-05-11

·

CVE-2026-44991

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.21
Description An authorization bypass exists in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands. This occurs when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can bypass owner-only authorization checks by sending commands such as '/send', '/config', or '/debug' on affected channels.
Recommendations Update to version 2026.4.21.

Fix

Missing Authorization

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44991
GHSA-C28G-VH7M-FM7V
GHSA-P3PV-C954-9M6F

Affected Products

Openclaw