Description
OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate revoked Tlon configuration from file state, bypassing intended revocation controls.
Published: 2026-04-28
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: Revocation Bypass via Configuration Rehydration
Action: Patch Now
AI Analysis

Impact

OpenClaw versions prior to 2026.3.31 interpret empty array configuration settings as if they were missing during startup migration. This behavior allows an adversary to restart the application and cause previously revoked Tlon configuration to be rehydrated from the file system, thereby bypassing the intended revocation controls. The flaw is a form of improper deletion or cleanup logic (CWE-372) and can enable unauthorized configuration activation within the application.

Affected Systems

The vulnerability affects the OpenClaw application, all releases before 2026.3.31, delivered in Node.js environments. No specific Node.js version dependence is noted beyond the existence of the OpenClaw component.

Risk and Exploitability

The CVSS score of 6.3 reflects a moderate severity. EPSS data is not available, and the issue is not listed in CISA KEV. Exploitation requires the ability to restart the OpenClaw instance; the attack vector is inferred to be local or privileged access. While not high risk by exploitation probability, the impact of revocation bypass can be significant to systems relying on strict configuration control.

Generated by OpenCVE AI on April 28, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.31 or later
  • Remove or set to null any revoked Tlon configuration entries in configuration files so they are not re‑hydrated
  • If an immediate upgrade is not possible, alter the startup migration process or adjust startup scripts to ignore empty‑array revocation handling to prevent rehydration
  • Monitor restart events and validate that revoked configurations remain absent after the upgrade or workaround

Generated by OpenCVE AI on April 28, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate revoked Tlon configuration from file state, bypassing intended revocation controls.
Title OpenClaw < 2026.3.31 - Configuration Rehydration via Empty-Array Revocation Handling
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-372
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T13:31:39.810Z

Reserved: 2026-04-20T14:12:09.519Z

Link: CVE-2026-41388

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:42.040

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses