What is CVE-2026-41349?

A high-severity vulnerability (CVSS 8.8) in OpenClaw that allows LLM agents to silently disable execution approval via the config.patch parameter.

How do I fix CVE-2026-41349?

Upgrade to OpenClaw v2026.3.28 or later. Additionally, add runtime guardrails by blocking or strictly validating config.patch inputs and requiring server-side consent enforcement.

How does CVE-2026-41349 work?

An attacker with access to trigger agent behavior can supply or alter the config.patch parameter to disable the system's execution approval mechanism, letting agents execute unauthorized operations without user consent.

Which OpenClaw versions are affected by CVE-2026-41349?

All versions of OpenClaw before v2026.3.28 are vulnerable. Users should upgrade to v2026.3.28 or later.

Who is most at risk from CVE-2026-41349?

Organizations running OpenClaw in multi-tenant or externally exposed agent orchestration environments, particularly where agents have tool access or permissive API exposure.

← Back to dashboard

clawsmith.com/signal/cve-2026-41349-config-patch-approval-bypass

⚠ IssueWide OpenLive

CVE-2026-41349: OpenClaw agents silently disable execution approval via config.patch (CVSS 8.8)

High-severity vulnerability allows LLM agents to silently disable execution approval via the config.patch parameter, enabling remote attackers to bypass security controls and execute unauthorized operations without user consent. Network-reachable with low complexity. Affects OpenClaw before v2026.3.28. Disclosed April 23, 2026.

Product Idea from this Signal

A CLI tool that audits OpenClaw device token scopes and blocks privilege escalation paths before attackers exploit them

2.1k ▲

CVE-2026-32922 (CVSS 9.9) proved that a single API call to device.token.rotate can escalate any paired device to full admin. The root cause was missing scope validation, but the broader problem is that OpenClaw operators have zero visibility into which devices hold what scopes, which tokens have been rotated suspiciously, and whether their instance is still vulnerable. 137 security advisories were filed in 60 days. This CLI tool continuously audits device tokens, flags over-scoped devices, detects rotation anomalies, and blocks escalation attempts at the gateway level.

SECURITYCLIDEVTOOLOPEN-SOURCE

CompetitiveView Opportunity →

Product Idea from this Signal

A background service that scans every directory OpenClaw opens for malicious .env files, poisoned configs, and environment variable injection payloads before the agent loads them

189 ▲

CVE-2026-41294 (CVSS 8.6) proved that a single .env file in the wrong directory can override OpenClaw security settings during startup. The attack surface is broad: any git clone, any downloaded project, any shared workspace could contain a weaponized .env. OpenClaw loads env vars from the current working directory before establishing its trusted configuration. This tool runs as a pre-flight scan before OpenClaw starts, checking every .env file in the workspace chain for suspicious overrides, known injection patterns, and variables that should never come from untrusted sources.

CLIOPEN-SOURCESECURITYDEVTOOL

CompetitiveView Opportunity →