Description
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels. Attackers can bypass authentication restrictions to arm or disarm phone channels without proper administrative privileges.
Published: 2026-04-28
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Authorization Bypass
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows attackers to control phone channel state by arming or disarming them without required administrative rights. The flaw originates from missing operator.admin scope validation in the /phone arm and /phone disarm endpoints of OpenClaw versions prior to 2026.3.28. Consequently, an unauthorized user could enable or disable external phone channels, potentially disrupting connectivity or facilitating further lateral movement.

Affected Systems

OpenClaw before version 2026.3.28. The product is OpenClaw, operated on Node.js.

Risk and Exploitability

Based on the description, it is inferred that the flaw can be exploited by any user with limited rights or even unauthenticated traffic. Attackers would send simple HTTP requests to the /phone arm or /phone disarm endpoints, as the lack of operator.admin scope checks permits. No advanced techniques are required. The CVSS score of 7.1 and the fact that it is not listed in the KEV catalog indicate a significant risk, especially in environments where OpenClaw manages critical voice or telecom infrastructure.

Generated by OpenCVE AI on April 29, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.28 or later to restore proper operator.admin scope checks for the affected endpoints.
  • Update any external systems or scripts that call the /phone arm or /phone disarm endpoints to use operator.admin credentials and enforce the correct scope.
  • Limit network exposure by configuring firewall or API gateway rules to restrict access to OpenClaw’s /phone arm and /phone disarm endpoints.

Generated by OpenCVE AI on April 29, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels. Attackers can bypass authentication restrictions to arm or disarm phone channels without proper administrative privileges.
Title OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-863
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-28T18:09:39.000Z

Reserved: 2026-04-20T14:10:32.653Z

Link: CVE-2026-41375

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:40.280

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:30:06Z

Weaknesses