PT-2026-39683 · Openclaw · Openclaw

Keensecuritylab

·

Published

2026-05-04

·

Updated

2026-05-11

·

CVE-2026-44994

CVSS v4.0

6.3

Medium

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.22
Description An authentication bypass exists in the Control UI bootstrap config endpoint, allowing unauthenticated attackers to read sensitive configuration fields. Attackers can access the bootstrap config route without a valid Gateway token to expose sensitive bootstrap and config information intended only for authenticated Control UI sessions.
Recommendations Update to version 2026.4.22.

Exploit

Fix

Missing Authorization

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44994
GHSA-93RG-2XM5-2P9V

Affected Products

Openclaw