High severity7.1NVD Advisory· Published Apr 23, 2026· Updated Apr 29, 2026
CVE-2026-41359
CVE-2026-41359
Description
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.28 | 2026.3.28 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/b7d70ade3b9900dbe97bd73be9c02e924ff3c986nvdPatchWEB
- github.com/advisories/GHSA-767m-xrhc-fxm7ghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-767m-xrhc-fxm7nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41359ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-privilege-escalation-via-operator-write-to-admin-class-telegram-config-and-cron-persistencenvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.