Description
OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations.
Published: 2026-04-28
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: Authentication bypass via stale authentication state
Action: Immediate Patch
AI Analysis

Impact

In OpenClaw versions prior to 2026.4.8, the authentication state handling can become stale after a configuration reload. The resolvedAuth closure, which holds the current authentication rules, is not refreshed when configuration changes are applied. Consequently, any new gateway connection that is established after such a reload continues to use the outdated authentication state. Attackers can exploit this behavior to bypass authentication controls, allowing unauthorized access to the system. The vulnerability stems from improper state synchronization, a classic example of CWE‑613, where stale authentication data can be used by attackers to gain privileges they should not possess.

Affected Systems

The vulnerability affects the OpenClaw platform, specifically all deployments of OpenClaw before version 2026.4.8. Since the product is built on Node.js, any instance running the affected version in any environment that processes gateway connections is susceptible.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity impact on confidentiality, integrity, and availability. No exploit probability score is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector likely requires an operator or an attacker with access to trigger configuration reloads, after which the stale authentication state grants unauthorized access. The fact that a reload can be performed manually or automatically means that a compromised user could potentially manipulate the authentication data if the reload operation is not secured.

Generated by OpenCVE AI on April 29, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.8 or newer, which addresses the stale authentication state flaw.
  • If immediate upgrade is not possible, restrict configuration reload capability to trusted administrators only and audit reload events closely.
  • Disable or postpone any automated configuration reloads until the patch is applied to prevent accidental use of stale authentication data.

Generated by OpenCVE AI on April 29, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations.
Title OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-613
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-28T18:10:10.910Z

Reserved: 2026-04-22T15:20:49.860Z

Link: CVE-2026-41916

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:45.540

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:30:06Z

Weaknesses