CVE-2026-41388
Received Received - Intake
Configuration Management Bypass in OpenClaw Allows Revoked Settings Reuse

Publication date: 2026-04-28

Last updated on: 2026-04-30

Assigner: VulnCheck

Description
OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate revoked Tlon configuration from file state, bypassing intended revocation controls.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41388
EUVD
EUVD-2026-26097
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.31 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-372 The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41388 is a configuration management vulnerability in OpenClaw versions before 2026.3.31. The issue occurs during the startup migration process of Tlon settings, where empty-array configuration values are mistakenly treated as missing values. This causes the system to restore revoked Tlon configurations from the file state upon application restart, effectively bypassing revocation controls that are meant to prevent certain configurations from being reactivated.

Impact Analysis

This vulnerability allows attackers to bypass intended revocation controls by restarting the application, which causes revoked configurations to be reactivated from the file state. As a result, revoked permissions or settings that should no longer be effective can be restored, potentially leading to unauthorized access or actions within the affected system.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-41388 on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the OpenClaw application treating empty-array settings as missing during startup migration, which leads to rehydration of revoked Tlon configurations. Detection would involve checking the version of the OpenClaw package in use and inspecting configuration files for empty-array revocation settings that might be incorrectly handled.

Specifically, you should verify if your OpenClaw version is prior to 2026.3.31, as versions up to and including 2026.3.28 are vulnerable.

Commands to detect the vulnerability could include:

  • Check the installed OpenClaw version: `npm list openclaw` or `openclaw --version`
  • Inspect the configuration files for empty-array revocation settings, for example by using `grep` or similar tools to find empty arrays in relevant config files.
  • Monitor application restart logs to detect if revoked Tlon configurations are being rehydrated unexpectedly.
Mitigation Strategies

The primary mitigation step is to upgrade the OpenClaw package to version 2026.3.31 or later, where the vulnerability has been fixed.

This update includes a fix that changes the migration logic to correctly preserve explicit empty-array settings during startup migration, preventing the rehydration of revoked configurations.

Until the upgrade can be applied, avoid restarting the OpenClaw application unnecessarily, as restarts trigger the vulnerable migration process.

Additionally, review and manually verify your configuration files to ensure that revoked Tlon configurations are not being restored from file state.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart