Description
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.
Published: 2026-04-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unapproved Operation Execution
Action: Immediate Patch
AI Analysis

Impact

OpenClaw software contains a flaw that lets an attacker influence the agentic consent mechanism through a configuration patch. The flaw permits LLM agents to disable the execution approval prompt without the user’s knowledge, enabling the attacker to run unvetted commands or operations. This results in the attacker achieving unintended code or privilege execution, compromising confidentiality, integrity, and availability of the running system.

Affected Systems

OpenClaw OpenClaw, versions prior to 2026.3.28. Any deployment using an older release of OpenClaw that processes agent configuration patches is affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently very low, and it is not included in the CISA KEV catalog. Nevertheless, the flaw can be leveraged over the network by a remote attacker, as the configuration patch can be delivered remotely to a compromised or compromised agent. Attackers could therefore bypass normal consent checks and execute unauthorized actions, potentially escalating privileges or disseminating malware. The lack of a documented workaround means mitigation relies on applying the vendor’s patch or enforcing additional access controls.

Generated by OpenCVE AI on April 28, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.28 or later to apply the fix.
  • If upgrading is not immediately possible, block direct modification of the config.patch parameter by non‑privileged users and enforce ACLs on configuration files.
  • Monitor configuration changes and runtime logs for unauthorized modifications to config.patch or agent execution approvals.

Generated by OpenCVE AI on April 28, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.
Title OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-862
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T14:34:50.145Z

Reserved: 2026-04-20T14:07:26.648Z

Link: CVE-2026-41349

cve-icon Vulnrichment

Updated: 2026-04-24T14:34:30.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:41.827

Modified: 2026-04-29T14:40:45.550

Link: CVE-2026-41349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses