HIGHCVE-2026-41349Published 2026-04-23Modified 2026-04-24CNA VulnCheck

CVE-2026-41349: OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch

OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 2026.3.28
Affected Products: 1

Fix available

2026.3.28

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.3.28 (from 0)
Fixed in 2026.3.28

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-v3qc-wrwx-j3pw)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch

Metrics

Fix available