High severity7.1NVD Advisory· Published Apr 21, 2026· Updated Apr 27, 2026
CVE-2026-41299
CVE-2026-41299
Description
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket handshake rather than verified authorization state. Authenticated operator clients can spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge by manipulating client metadata during connection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.28 | 2026.3.28 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-6xg4-82hv-cp6fghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-6xg4-82hv-cp6fnvdVendor AdvisoryWEB
- www.vulncheck.com/advisories/openclaw-client-identity-spoofing-in-chat-send-gateway-provenance-guardnvdThird Party Advisory
- github.com/openclaw/openclaw/commit/4b9542716c26ac77652bcaa0f562043b298b409fghsaWEB
News mentions
0No linked articles in our index yet.