Critical Severity Vulnerability
This vulnerability has been rated as Critical severity. Immediate action is recommended.
CVE-2026-41386
Critical
Low
Medium
High
Critical
9.1
CVSS Score
Vulnerability Description
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges beyond their intended role and scope.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
H
Integrity
H
Availability
N
References & Resources
-
https://github.com/openclaw/openclaw/commit/a600c72ed7d0045a27f58bf031d2b36ecb0141c9disclosure@vulncheck.com
-
https://github.com/openclaw/openclaw/security/advisories/GHSA-gg9v-mgcp-v6m7disclosure@vulncheck.com
-
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-unbound-bootstrap-setup-codesdisclosure@vulncheck.com
Severity Details
9.1
out of 10.0
Critical
Weakness Type (CWE)
CWE-648
Incorrect Use of Privileged APIs
- Description
- The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
- Exploit Likelihood
- Low
- Typical Severity
- High
- Abstraction Level
- Base
Key Information
- Published Date
- April 28, 2026
