CVE-2026-41375
Authorization Bypass in OpenClaw Phone Arm/Disarm Endpoints
Publication date: 2026-04-28
Last updated on: 2026-05-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.28 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41375 is an authorization bypass vulnerability in OpenClaw versions before 2026.3.28. It affects the /phone arm and /phone disarm API endpoints, which fail to properly enforce the operator.admin scope checks for external channels. This means that attackers with limited privileges can bypass authentication restrictions and arm or disarm phone channels without having the necessary administrative rights.
The vulnerability is classified under CWE-863 (Incorrect Authorization) and is considered a medium severity risk because it allows privilege escalation through improper access control on critical phone management functions.
How can this vulnerability impact me? :
This vulnerability allows unauthorized users to perform administrative actions such as arming or disarming phone channels without proper privileges. This can lead to unauthorized control over phone systems, potentially disrupting communications or enabling malicious activities.
Because the vulnerability bypasses authentication restrictions, it can be exploited by attackers on external channels, increasing the risk of privilege escalation and unauthorized configuration changes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to the /phone arm and /phone disarm API endpoints without proper administrative privileges. To detect exploitation attempts on your network or system, you should monitor calls to these endpoints, especially those originating from external channels.
Suggested detection steps include:
- Monitor API logs for calls to /phone arm and /phone disarm endpoints from users or clients lacking the operator.admin scope.
- Check for unexpected arming or disarming of phone channels initiated by non-administrative users.
- Use network monitoring tools to filter and analyze traffic targeting these endpoints, focusing on external channels such as telegram or other non-webchat sources.
- If possible, run commands or scripts that query the system's current phone channel status and recent changes to detect unauthorized state changes.
Specific commands are not provided in the available resources, but focusing on API access logs and permission scope checks is recommended.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update OpenClaw to version 2026.3.28 or later, which contains the patch that enforces the operator.admin scope check on all channels for the /phone arm and /phone disarm endpoints.
- Upgrade OpenClaw to version 2026.3.28 or newer to apply the official fix.
- Restrict access to the /phone arm and /phone disarm endpoints to only trusted administrative users until the patch is applied.
- Review and tighten permissions on external channels to prevent unauthorized users from accessing sensitive phone control commands.
These steps will prevent unauthorized users from bypassing authentication restrictions and performing privileged actions on phone channels.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-41375 on compliance with common standards and regulations such as GDPR or HIPAA.