{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41352/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-41352"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["critical"],"_cs_tags":["rce","vulnerability","cve-2026-41352"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.31 suffers from a remote code execution vulnerability (CVE-2026-41352). This flaw exists because a device-paired node can bypass the node scope gate authentication mechanism. An attacker who has already obtained device pairing credentials can exploit this vulnerability to execute arbitrary node commands on the host system. This occurs because the application doesn\u0026rsquo;t perform adequate node pairing validation, allowing malicious actors to potentially gain complete control over the affected system if successfully exploited. Defenders should prioritize patching to version 2026.3.31 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the OpenClaw system. This may involve social engineering or other means of obtaining device pairing credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the device pairing credentials to authenticate to a device-paired node.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute a node command on the host system.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check (CWE-862), the node scope gate authentication mechanism is bypassed.\u003c/li\u003e\n\u003cli\u003eThe system incorrectly validates the request, failing to properly verify node pairing.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully executes an arbitrary node command on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, potentially gaining full control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform malicious activities such as data exfiltration, system compromise, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41352 allows an attacker with valid device pairing credentials to execute arbitrary commands on the host system. This can lead to a complete compromise of the OpenClaw system and potentially the entire network. The number of potential victims is dependent on the number of deployments of OpenClaw before version 2026.3.31. The impact includes data breaches, system downtime, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41352.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw systems for unauthorized command execution attempts. While no specific IOCs are available, monitor for unexpected process executions originating from the OpenClaw application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T12:00:00Z","date_published":"2026-04-24T12:00:00Z","id":"/briefs/2026-04-openclaw-rce/","summary":"OpenClaw before 2026.3.31 is vulnerable to remote code execution (CVE-2026-41352) because a device-paired node can bypass the node scope gate authentication mechanism, allowing attackers with device pairing credentials to execute arbitrary node commands.","title":"OpenClaw Remote Code Execution via Node Scope Gate Bypass (CVE-2026-41352)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-41352","version":"https://jsonfeed.org/version/1.1"}