HIGHCVE-2026-41342Published 2026-04-23Modified 2026-04-24CNA VulnCheck

CVE-2026-41342: OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding

OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture gateway credentials or traffic.

CVSS v4.0: 7.4
Severity: HIGH
Fixed in: 2026.3.28
Affected Products: 1

Fix available

2026.3.28

Affected packages

OpenClaw / OpenClaw
< 2026.3.28 (from 0)
Fixed in 2026.3.28

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-3cw3-5vxw-g2h3)
VulnCheck Advisory: OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding

Metrics

Fix available