Critical severity9.1NVD Advisory· Published Apr 28, 2026· Updated May 1, 2026
CVE-2026-41386
CVE-2026-41386
Description
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.22 | 2026.3.22 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/openclaw/openclaw/commit/a600c72ed7d0045a27f58bf031d2b36ecb0141c9nvdPatchWEB
- github.com/advisories/GHSA-gg9v-mgcp-v6m7ghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-gg9v-mgcp-v6m7nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41386ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unbound-bootstrap-setup-codesnvdThird Party AdvisoryWEB
News mentions
0No linked articles in our index yet.