CVE-2026-41910
Access Control Bypass in OpenClaw /allowlist Endpoint
Publication date: 2026-04-28
Last updated on: 2026-04-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41910 is a vulnerability in OpenClaw versions before 2026.4.8 where the /allowlist endpoint does not enforce owner-only restrictions for cross-channel allowlist write operations.
This means that an authorized user who is not the owner of a channel can bypass access controls and modify the allowlist of channels they do not own, violating the intended trust model of the system.
How can this vulnerability impact me? :
The vulnerability allows an authorized non-owner to perform unauthorized modifications to allowlists on channels they do not own.
This can lead to a breach of the intended trust model within OpenClaw, potentially allowing unauthorized access or control over channel permissions.
However, the overall severity is rated as Moderate with a CVSS v4 base score of 2.3, indicating a limited impact on integrity and no impact on confidentiality or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-41910, you should upgrade OpenClaw to version 2026.4.8 or later, where the missing owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint has been fixed.
This update addresses the issue by enforcing proper access controls, preventing authorized non-owner users from modifying allowlists on channels they do not own.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-41910 on compliance with common standards and regulations such as GDPR or HIPAA.