CVE-2026-41388
Configuration Management Bypass in OpenClaw Allows Revoked Settings Reuse
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-372 | The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41388 is a configuration management vulnerability in OpenClaw versions before 2026.3.31. The issue occurs during the startup migration process of Tlon settings, where empty-array configuration values are mistakenly treated as missing values. This causes the system to restore revoked Tlon configurations from the file state upon application restart, effectively bypassing revocation controls that are meant to prevent certain configurations from being reactivated.
How can this vulnerability impact me? :
This vulnerability allows attackers to bypass intended revocation controls by restarting the application, which causes revoked configurations to be reactivated from the file state. As a result, revoked permissions or settings that should no longer be effective can be restored, potentially leading to unauthorized access or actions within the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the OpenClaw application treating empty-array settings as missing during startup migration, which leads to rehydration of revoked Tlon configurations. Detection would involve checking the version of the OpenClaw package in use and inspecting configuration files for empty-array revocation settings that might be incorrectly handled.
Specifically, you should verify if your OpenClaw version is prior to 2026.3.31, as versions up to and including 2026.3.28 are vulnerable.
Commands to detect the vulnerability could include:
- Check the installed OpenClaw version: `npm list openclaw` or `openclaw --version`
- Inspect the configuration files for empty-array revocation settings, for example by using `grep` or similar tools to find empty arrays in relevant config files.
- Monitor application restart logs to detect if revoked Tlon configurations are being rehydrated unexpectedly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-41388 on compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the OpenClaw package to version 2026.3.31 or later, where the vulnerability has been fixed.
This update includes a fix that changes the migration logic to correctly preserve explicit empty-array settings during startup migration, preventing the rehydration of revoked configurations.
Until the upgrade can be applied, avoid restarting the OpenClaw application unnecessarily, as restarts trigger the vulnerable migration process.
Additionally, review and manually verify your configuration files to ensure that revoked Tlon configurations are not being restored from file state.