Description
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.
Published: 2026-04-23
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

OpenClaw before 2026.3.28 suffers from a privilege escalation flaw that allows authenticated users with operator.write permissions to access and modify admin‑class Telegram configuration and cron persistence settings through the send endpoint. This weakness, identified as CWE‑269, removes access controls that should confine those settings to higher‑privileged roles. The result is that an attacker who has any operator write capability can elevate privileges to administer cron jobs and potentially persist malicious changes, compromising the integrity and availability of the system.

Affected Systems

The vulnerability affects OpenClaw deployments running any version before 2026.3.28. Administrators should verify whether their environment uses a pre‑2026.3.28 release of the OpenClaw application.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity issue. The EPSS score of less than 1% shows that current exploitation likelihood is very low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need legitimate operator.write credentials and would exploit the insufficient access control on the send endpoint to reach the admin configuration resources. Because access to the operator.write role is usually restricted, the overall risk is moderate, but the impact of compromising cron persistence is significant.

Generated by OpenCVE AI on April 28, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.28 or later to receive the vendor remediation for this privilege escalation bug.
  • Restrict the assignment of operator.write permissions to the fewest users necessary, ensuring that only trusted personnel have write capabilities on the send endpoint.
  • If an upgrade is not immediately possible, disable or remove access to the admin‑class Telegram configuration and cron persistence settings in application configuration to mitigate the elevated access risk.

Generated by OpenCVE AI on April 28, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-767m-xrhc-fxm7 OpenClaw: Gateway operator.write Can Reach Admin-Class Telegram Config and Cron Persistence via send
History

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.
Title OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-269
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-25T01:37:44.526Z

Reserved: 2026-04-20T14:09:02.628Z

Link: CVE-2026-41359

cve-icon Vulnrichment

Updated: 2026-04-25T01:37:40.876Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:43.527

Modified: 2026-04-29T13:44:19.390

Link: CVE-2026-41359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses