HIGHCVE-2026-41375Published 2026-04-28Modified 2026-04-29CNA VulnCheck

CVE-2026-41375: OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels. Attackers can bypass authentication restrictions to arm or disarm phone channels without proper administrative privileges.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: 2026.3.28
Affected Products: 1

Fix available

2026.3.28

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.3.28 (from 0)
Fixed in 2026.3.28

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-h2v7-xc88-xx8c)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints

Metrics

Fix available