PT-2026-39695 · Openclaw · Openclaw

Keensecuritylab

·

Published

2026-05-05

·

Updated

2026-05-11

·

CVE-2026-45006

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.23
Description Improper access control in the gateway tool's 'config.apply' and 'config.patch' operations allows compromised models to bypass an incomplete denylist protection. This enables the writing of unsafe configuration changes that persist after a restart, potentially affecting command execution, network behavior, credentials, and operator policies.
Recommendations Update to version 2026.4.23.

Exploit

Fix

Incomplete List of Disallowed Inputs

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45006
GHSA-CWJ3-VQPP-PMXR

Affected Products

Openclaw