CVE-2026-41916
Received Received - Intake
Authentication Bypass in OpenClaw via Stale Auth State After Reload

Publication date: 2026-04-28

Last updated on: 2026-04-30

Assigner: VulnCheck

Description
OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41916
EUVD
EUVD-2026-26122
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves the resolvedAuth closure becoming stale after a configuration reload in OpenClaw versions prior to 2026.4.8, allowing authentication bypass. Detection would involve verifying the OpenClaw version in use and monitoring for configuration reload events that might cause stale authentication states.

To detect if your system is vulnerable, first check the installed OpenClaw version. If it is earlier than 2026.4.8, the system is potentially affected.

  • Run a command to check the OpenClaw version, for example: `openclaw --version` or `npm list openclaw` if installed via npm.
  • Monitor logs or events related to configuration reloads in OpenClaw to identify if authentication state is being reused improperly.

There are no specific detection commands or network signatures provided in the available resources.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects OpenClaw versions before 2026.4.8 and involves an authentication state management flaw. Specifically, the resolvedAuth closure becomes stale after a configuration reload, meaning that newly accepted gateway connections continue to use outdated authentication state. This allows attackers to bypass authentication controls by exploiting the configuration reload process.

The issue is classified under CWE-613 (Insufficient Session Expiration), where old session credentials or states remain valid beyond their intended lifecycle, potentially allowing unauthorized reuse.

Impact Analysis

The vulnerability can allow attackers to bypass authentication controls by exploiting the stale authentication state after a configuration reload. This means unauthorized users could gain access to gateway connections that should require valid authentication, potentially leading to unauthorized access to systems or data.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.4.8 or later, where the issue with stale resolvedAuth closure after configuration reload has been fixed.

This update ensures that newly accepted gateway connections do not continue using outdated authentication state, preventing attackers from bypassing authentication controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41916. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart