{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41404/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-41404"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","authentication","cve-2026-41404"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.31 is vulnerable to a privilege escalation flaw within its trusted-proxy authentication mechanism. This vulnerability, identified as CVE-2026-41404, stems from an incomplete scope clearing process. The core issue lies in the ability for attackers to declare operator scopes on clients that are not part of the Control-UI. This leads to a situation where these self-declared scopes are erroneously persisted on authentication paths that bear identity. This allows an attacker to escalate their privileges to operator.admin, effectively gaining administrative control over the OpenClaw instance. This poses a significant risk to the confidentiality, integrity, and availability of systems relying on OpenClaw for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenClaw instance using trusted-proxy authentication mode.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to a non-Control-UI client, declaring operator scopes within the authentication header.\u003c/li\u003e\n\u003cli\u003eOpenClaw\u0026rsquo;s incomplete scope clearing mechanism fails to remove the attacker-declared operator scopes.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates through an identity-bearing authentication path.\u003c/li\u003e\n\u003cli\u003eDue to the persisted operator scopes, the attacker is granted elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the escalated operator.admin privileges to perform unauthorized actions. This could include modifying configurations, accessing sensitive data, or disrupting services.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access by creating new administrator accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain operator.admin privileges within the OpenClaw environment. This can lead to complete control over the affected OpenClaw instance. Consequences include unauthorized access to sensitive data, modification of system configurations, and disruption of services. The severity is compounded by the fact that the vulnerability exists in the authentication mechanism, potentially affecting all users and systems relying on OpenClaw for access control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41404.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on authentication headers to prevent the declaration of unauthorized scopes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenClaw Unauthorized Scope Declaration\u003c/code\u003e to monitor for suspicious authentication requests.\u003c/li\u003e\n\u003cli\u003eReview and audit existing OpenClaw configurations to identify and remove any unauthorized operator scopes.\u003c/li\u003e\n\u003cli\u003eMonitor logs for successful logins with unexpected admin privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-privilege-escalation/","summary":"OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation by declaring operator scopes on non-Control-UI clients.","title":"OpenClaw Privilege Escalation via Trusted Proxy Authentication (CVE-2026-41404)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-privilege-escalation/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-41404","version":"https://jsonfeed.org/version/1.1"}