Description
OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.
Published: 2026-04-23
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch Now
AI Analysis

Impact

The vulnerability is an authentication boundary flaw in OpenClaw prior to version 2026.3.31. During the Telegram legacy allowFrom migration the system incorrectly propagates the default-account trust to all named accounts, allowing a malicious actor to obtain privileged access to those accounts without proper authentication. This flaw falls under CWE‑372, which involves an incorrect control of trust. The impact is that a wrong configuration can let an attacker bypass authentication controls and gain unauthorized access to any named account on the platform.

Affected Systems

All OpenClaw deployments running any version older than 2026.3.31, regardless of edition.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of <1% suggests that exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to involve triggering or manipulating the legacy migration with allowFrom enabled, which would generally require the ability to influence that migration process. Once the flaw is exploited, the attacker can bypass authentication and acquire full access to named accounts.

Generated by OpenCVE AI on April 28, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw 2026.3.31 or newer versions
  • Review and adjust the Telegram legacy allowFrom configuration to prevent default-account trust propagation
  • Disable the legacy migration feature until the patch is applied or monitor for anomalous access attempts

Generated by OpenCVE AI on April 28, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to bypass authentication controls and gain unauthorized access to named accounts.
Title OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migration
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-372
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T16:40:12.203Z

Reserved: 2026-04-20T14:05:09.183Z

Link: CVE-2026-41340

cve-icon Vulnrichment

Updated: 2026-04-24T16:40:08.977Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:40.307

Modified: 2026-04-28T18:56:14.907

Link: CVE-2026-41340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses