https://feed.craftedsignal.io/vendors/openclaw/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-openclaw-webhook-replay/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-webhook-replay/OpenClaw before 2026.3.28 is vulnerable to webhook replay attacks due to improper signature verification, allowing attackers to reorder query parameters and trigger duplicate voice-call processing.OpenClaw before version 2026.3.28 is susceptible to a webhook replay vulnerability affecting Plivo V3 signature verification. The vulnerability arises from the application’s method of canonicalizing query parameter ordering for signature verification while simultaneously employing raw URLs for replay detection. This discrepancy allows attackers to manipulate the order of query parameters within a captured, valid, signed webhook, effectively bypassing the replay cache detection mechanism. This could lead to the unintended execution of duplicate voice-call processing. The vulnerability was reported on April 28, 2026, and poses a risk to systems relying on OpenClaw for processing Plivo webhooks.

Attack Chain

1. Attacker captures a valid, signed webhook request from Plivo to OpenClaw.
2. Attacker analyzes the captured webhook request, noting the query parameters and their order.
3. Attacker reorders the query parameters in the captured webhook request, while maintaining the validity of the signature (due to OpenClaw’s canonicalization of query ordering for signature verification).
4. Attacker replays the modified webhook request to the OpenClaw server.
5. OpenClaw processes the replayed webhook request because the replay detection mechanism is bypassed due to the reordered query parameters resulting in a different raw URL.
6. The OpenClaw application initiates a duplicate voice-call processing as a result of the replayed webhook.
7. The victim experiences unintended or duplicate voice calls.

Impact

Successful exploitation of this vulnerability can lead to unintended or duplicate voice calls, potentially causing disruption of services and financial implications due to unnecessary call charges. While the direct impact is limited to the processing of voice calls, the vulnerability highlights a weakness in webhook security that could be exploited further in other contexts. The severity is rated as HIGH with a CVSS v3.1 score of 7.5.

Recommendation

• Upgrade OpenClaw to version 2026.3.28 or later to remediate the vulnerability (CVE-2026-41395).
• Implement server-side logging for all incoming webhook requests, capturing the raw request URL and timestamp. Deploy the Sigma rule Detect Suspicious Webhook Replay to identify potential replay attacks based on duplicate URLs within a short timeframe.
• Consider implementing additional server-side validation of webhook requests, such as verifying the timestamp to ensure it falls within an acceptable window.

]]>mediumadvisorywebhookreplay-attackplivohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-approval-bypass/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-approval-bypass/OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that allows attackers to bypass strictInlineEval explicit-approval requirements on gateway and node exec hosts, leading to arbitrary command execution.OpenClaw, a software application, is vulnerable to an approval-timeout bypass (CVE-2026-42423) affecting versions prior to 2026.4.8. This vulnerability stems from a flaw in the strictInlineEval approval mechanism, where an approval-timeout fallback allows the execution of inline eval commands without explicit user approval. An attacker with low privileges can exploit this vulnerability on gateway and node exec hosts to circumvent the intended security boundary. This can lead to unauthorized command execution and potential system compromise. Defenders should upgrade to version 2026.4.8 or implement mitigations to prevent exploitation.

Attack Chain

1. Attacker gains low-privilege access to a gateway or node exec host running a vulnerable version of OpenClaw (prior to 2026.4.8).
2. The attacker crafts a malicious inline eval command intended to be executed on the system.
3. The attacker attempts to execute the malicious inline eval command, triggering the strictInlineEval approval mechanism.
4. The system initiates the explicit approval process, awaiting user confirmation before executing the command.
5. The attacker waits for the pre-configured approval-timeout to expire without providing any explicit approval.
6. The approval-timeout fallback mechanism is triggered due to the lack of user approval within the defined timeframe.
7. The system bypasses the explicit-approval requirement due to the timeout fallback, and the malicious inline eval command is executed.
8. The attacker achieves arbitrary command execution on the affected host, potentially escalating privileges and compromising the system.

Impact

Successful exploitation of CVE-2026-42423 allows an attacker to bypass intended security boundaries and execute arbitrary commands on OpenClaw gateway and node exec hosts. This can lead to privilege escalation, unauthorized data access, and potential system compromise. The severity is rated as high (CVSS 7.5) due to the potential for significant impact on confidentiality, integrity, and availability. The number of affected systems depends on the deployment scope of vulnerable OpenClaw versions.

Recommendation

• Upgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42423.
• Monitor OpenClaw logs for indicators of unauthorized inline eval command execution, focusing on unexpected activity following approval timeouts.
• Implement network segmentation to limit the blast radius of potential compromises, should an attacker successfully exploit CVE-2026-42423 and gain unauthorized access.

]]>highadvisoryvulnerabilityprivilege-escalationexecutionhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-bypass/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-bypass/OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows attackers to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.OpenClaw, a browser automation tool, is vulnerable to a security bypass (CVE-2026-42431) affecting versions prior to 2026.4.8. This vulnerability resides in the node.invoke(browser.proxy) function, which improperly allows mutation of persistent browser profiles. An attacker can leverage this flaw to bypass the browser.request persistent profile-mutation guard. Successful exploitation leads to unauthorized modification of browser configurations, potentially enabling malicious activities such as injecting malicious extensions, altering browser settings, or compromising user data. The vulnerability was publicly disclosed on April 28, 2026.

Attack Chain

1. Attacker identifies a vulnerable OpenClaw instance running a version prior to 2026.4.8.
2. Attacker crafts a malicious script that calls the node.invoke(browser.proxy) function.
3. The script is designed to bypass the browser.request persistent profile-mutation guard.
4. The node.invoke(browser.proxy) function is exploited to mutate the persistent browser profile.
5. The browser configuration is modified to include malicious settings, such as altered proxy settings or injected malicious extensions.
6. OpenClaw uses the modified browser profile for subsequent browser automation tasks.
7. The malicious configurations allow the attacker to intercept or modify browser traffic.
8. The attacker gains unauthorized access to sensitive information or injects malicious content into the browser session.

Impact

Successful exploitation of CVE-2026-42431 allows attackers to modify browser configurations, potentially leading to data theft, session hijacking, or the injection of malicious content. This can compromise user credentials, financial data, or other sensitive information handled by the browser. The vulnerability affects all users of OpenClaw versions prior to 2026.4.8. While the exact number of affected users is unknown, the impact is high due to the potential for widespread compromise of browser profiles and associated data.

Recommendation

• Upgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42431.
• Monitor OpenClaw scripts for suspicious calls to node.invoke(browser.proxy) using network connection monitoring.
• Implement strict access controls to limit who can modify OpenClaw scripts and browser profiles.
• Deploy the Sigma rule provided below to detect attempts to bypass the browser.request persistent profile-mutation guard.

]]>highadvisorysecurity-bypassbrowser-automationprofile-mutationhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-role-bypass/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-role-bypass/OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function, allowing attackers to mint tokens for unapproved roles and bypass intended approval processes.OpenClaw, a yet-to-be-defined software, is vulnerable to a role bypass flaw affecting versions prior to 2026.4.8. This vulnerability, identified as CVE-2026-42422, resides within the device.token.rotate function. Attackers can exploit this weakness to mint tokens associated with roles that have not undergone proper authorization. The core issue lies in the ability to bypass the intended device role-upgrade pairing mechanism, granting unauthorized access to roles and scopes. This circumvention allows malicious actors to either maintain existing roles illegitimately or create new ones without appropriate approval, potentially leading to significant privilege escalation and unauthorized data access within the affected system. Defenders need to ensure they are running at least version 2026.4.8.

Attack Chain

1. Attacker identifies an OpenClaw instance running a version prior to 2026.4.8.
2. Attacker interacts with the device.token.rotate function.
3. The attacker crafts a request to mint a token, specifying an unapproved role.
4. Due to the vulnerability, the system incorrectly validates the request.
5. A token is minted successfully with the unapproved role.
6. The attacker uses the minted token to authenticate to the OpenClaw instance.
7. The attacker now has access to resources and functionalities associated with the unapproved role.
8. The attacker performs actions with elevated privileges, bypassing intended access controls.

Impact

Successful exploitation of CVE-2026-42422 allows attackers to bypass intended authorization mechanisms within OpenClaw. This can lead to significant privilege escalation, potentially granting unauthorized access to sensitive data and critical system functionalities. The impact depends on the specific roles and scopes that can be minted, but it could range from data breaches to complete system compromise. While the exact number of affected systems remains unclear, any OpenClaw deployment prior to version 2026.4.8 is vulnerable.

Recommendation

• Upgrade all OpenClaw installations to version 2026.4.8 or later to remediate CVE-2026-42422.
• Monitor logs for unusual activity related to the device.token.rotate function, particularly requests attempting to mint tokens with unexpected or unapproved roles.
• Deploy the Sigma rule “Detect OpenClaw Token Minting with Unapproved Roles” to detect exploitation attempts targeting CVE-2026-42422.

]]>highadvisoryrole-bypassprivilege-escalationcve-2026-42422https://feed.craftedsignal.io/briefs/2026-04-openclaw-ssrf/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-ssrf/OpenClaw before 2026.4.8 is vulnerable to server-side request forgery (SSRF) in QQ Bot media download paths, allowing attackers to bypass SSRF protections and access internal resources.OpenClaw, a QQ Bot platform, is susceptible to a server-side request forgery (SSRF) vulnerability. This flaw exists in versions prior to 2026.4.8 within the media download paths of the QQ Bot functionality. Specifically, the vulnerability allows attackers to bypass existing SSRF protections. By exploiting unprotected media fetch endpoints, malicious actors can potentially gain unauthorized access to internal resources and circumvent established allowlist policies. This vulnerability poses a significant risk to the confidentiality and integrity of systems and data accessible from the OpenClaw server. Successful exploitation can lead to information disclosure, denial of service, or even remote code execution on internal systems, depending on the accessible resources.

Attack Chain

1. The attacker identifies an OpenClaw instance running a version prior to 2026.4.8.
2. The attacker crafts a malicious URL targeting the QQ Bot media download functionality. This URL contains a payload designed to exploit the SSRF vulnerability.
3. The attacker injects the malicious URL into the QQ Bot’s media download path, bypassing expected SSRF protections.
4. OpenClaw processes the crafted URL without proper validation, initiating a request to an attacker-controlled internal resource.
5. The OpenClaw server makes a request to the specified internal resource, potentially exposing sensitive information or triggering unintended actions.
6. The internal resource responds to the OpenClaw server, and the response is potentially relayed back to the attacker or used to further compromise the system.
7. The attacker gains unauthorized access to internal resources or sensitive data due to the successful SSRF attack.

Impact

Successful exploitation of this SSRF vulnerability (CVE-2026-41914) can lead to the disclosure of sensitive information from internal systems, potentially affecting all users and services dependent on the compromised OpenClaw instance. The severity is amplified by the potential to bypass existing SSRF protections, increasing the attack surface and difficulty of detection. Impact ranges from information disclosure to potential compromise of other internal services, depending on the specific internal resources accessible from the OpenClaw server.

Recommendation

• Upgrade OpenClaw to version 2026.4.8 or later to patch the SSRF vulnerability (CVE-2026-41914).
• Deploy the Sigma rule Detect Suspicious OpenClaw SSRF Attempt to identify potential exploitation attempts targeting the vulnerable media download paths.
• Implement strict network segmentation to limit the impact of a successful SSRF attack by restricting access to sensitive internal resources from the OpenClaw server.

]]>highadvisoryssrfcve-2026-41914openclawhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-privilege-escalation/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-privilege-escalation/OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation by declaring operator scopes on non-Control-UI clients.OpenClaw before version 2026.3.31 is vulnerable to a privilege escalation flaw within its trusted-proxy authentication mechanism. This vulnerability, identified as CVE-2026-41404, stems from an incomplete scope clearing process. The core issue lies in the ability for attackers to declare operator scopes on clients that are not part of the Control-UI. This leads to a situation where these self-declared scopes are erroneously persisted on authentication paths that bear identity. This allows an attacker to escalate their privileges to operator.admin, effectively gaining administrative control over the OpenClaw instance. This poses a significant risk to the confidentiality, integrity, and availability of systems relying on OpenClaw for authentication and authorization.

Attack Chain

1. Attacker identifies an OpenClaw instance using trusted-proxy authentication mode.
2. The attacker crafts a request to a non-Control-UI client, declaring operator scopes within the authentication header.
3. OpenClaw’s incomplete scope clearing mechanism fails to remove the attacker-declared operator scopes.
4. The attacker authenticates through an identity-bearing authentication path.
5. Due to the persisted operator scopes, the attacker is granted elevated privileges.
6. The attacker leverages the escalated operator.admin privileges to perform unauthorized actions. This could include modifying configurations, accessing sensitive data, or disrupting services.
7. The attacker maintains persistent access by creating new administrator accounts.

Impact

Successful exploitation of this vulnerability allows an attacker to gain operator.admin privileges within the OpenClaw environment. This can lead to complete control over the affected OpenClaw instance. Consequences include unauthorized access to sensitive data, modification of system configurations, and disruption of services. The severity is compounded by the fact that the vulnerability exists in the authentication mechanism, potentially affecting all users and systems relying on OpenClaw for access control.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41404.
• Implement strict input validation on authentication headers to prevent the declaration of unauthorized scopes.
• Deploy the Sigma rule Detect OpenClaw Unauthorized Scope Declaration to monitor for suspicious authentication requests.
• Review and audit existing OpenClaw configurations to identify and remove any unauthorized operator scopes.
• Monitor logs for successful logins with unexpected admin privileges.

]]>highadvisoryprivilege-escalationauthenticationcve-2026-41404https://feed.craftedsignal.io/briefs/2026-04-openclaw-plugin-vuln/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-plugin-vuln/OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives, allowing attackers to install malicious plugins and compromise the local assistant environment.OpenClaw versions prior to 2026.4.8 are susceptible to a critical vulnerability (CVE-2026-42428) due to the lack of integrity verification for downloaded plugin archives. This flaw allows a malicious actor to install crafted or tampered plugin packages onto a user’s system without any validation or warning. Successful exploitation grants the attacker the ability to compromise the OpenClaw assistant environment, potentially leading to arbitrary code execution, data theft, or other malicious activities. The vulnerability was reported on April 28, 2026, and poses a significant risk to users who rely on OpenClaw for their assistant needs.

Attack Chain

1. The attacker identifies a target running a vulnerable version of OpenClaw (prior to 2026.4.8).
2. The attacker crafts a malicious plugin archive containing malicious code or scripts.
3. The attacker entices the user to download the malicious plugin archive, potentially through social engineering or by hosting it on a compromised website.
4. The user installs the malicious plugin archive via OpenClaw’s plugin installation mechanism.
5. Due to the missing integrity check, OpenClaw installs the plugin without verifying its authenticity or integrity.
6. The malicious plugin is loaded and executed within the OpenClaw environment.
7. The attacker gains control over the OpenClaw assistant environment and executes malicious code.
8. The attacker performs unauthorized actions, such as stealing data, installing malware, or compromising other systems.

Impact

Successful exploitation of CVE-2026-42428 allows attackers to compromise the local OpenClaw assistant environment. The lack of integrity verification means a malicious plugin can execute arbitrary code, potentially leading to data theft, system compromise, or further lateral movement within the network. The severity is high due to the potential for complete system compromise and the relative ease of exploitation, requiring only that a user install a malicious plugin.

Recommendation

• Upgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42428.
• Deploy the Sigma rule “Detect Suspicious OpenClaw Plugin Installation” to detect the installation of unsigned or suspicious plugins.
• Educate users about the risks of installing plugins from untrusted sources.

]]>highadvisoryvulnerabilitypluginintegrityCVE-2026-42428https://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to exhaust server resources by sending malicious Teams webhook payloads.OpenClaw before version 2026.3.31 is vulnerable to a resource exhaustion attack due to improper handling of MS Teams webhook requests. The application parses the request body before validating the JWT, which allows unauthenticated attackers to send malicious payloads. By sending specially crafted Teams webhook payloads, attackers can bypass authentication checks and exhaust server resources. This vulnerability, identified as CVE-2026-41405, can lead to denial of service and impacts systems where OpenClaw is used to process MS Teams webhooks. Successful exploitation can severely degrade or halt OpenClaw’s functionality.

Attack Chain

1. An unauthenticated attacker identifies an OpenClaw instance processing MS Teams webhooks.
2. The attacker crafts a malicious MS Teams webhook payload designed to consume excessive resources during parsing.
3. The attacker sends the malicious webhook payload to the OpenClaw endpoint.
4. OpenClaw receives the webhook request and begins parsing the request body before JWT validation.
5. The malicious payload triggers excessive resource consumption (CPU, memory) during the parsing stage.
6. The parsing process exhausts available server resources.
7. OpenClaw becomes unresponsive or crashes due to resource exhaustion.
8. Legitimate MS Teams webhook requests are no longer processed, leading to a denial of service.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition, rendering OpenClaw unresponsive. This can disrupt any services relying on OpenClaw for MS Teams webhook processing. While the precise number of affected organizations is unknown, any organization using a vulnerable version of OpenClaw is at risk. The impact includes potential loss of data, interrupted workflows, and reputational damage.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41405.
• Implement rate limiting on the MS Teams webhook endpoint to mitigate resource exhaustion, even after patching.
• Monitor web server logs (category webserver, product linux) for unusual traffic patterns and large request sizes to the MS Teams webhook endpoint.
• Deploy the Sigma rule Detect High Number of Requests to Teams Webhook to identify potential exploitation attempts.

]]>mediumadvisoryresource-exhaustionwebhookcve-2026-41405https://feed.craftedsignal.io/briefs/2026-04-openclaw-env-vuln/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-env-vuln/OpenClaw before 2026.3.22 is vulnerable to incomplete host environment variable sanitization, allowing attackers to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.OpenClaw versions prior to 2026.3.22 contain a vulnerability related to incomplete sanitization of host environment variables. This flaw, found in host-env-security-policy.json and host-env-security.ts, allows for the overriding of package manager environment settings. An attacker can leverage this vulnerability to redirect approved execution requests, manipulating the package resolution process or the runtime bootstrap. By doing so, they can point these processes to attacker-controlled infrastructure. This enables the execution of trojanized content, potentially leading to supply chain attacks or arbitrary code execution within the affected environment. The vulnerability is identified as CVE-2026-41387.

Attack Chain

1. Attacker identifies an OpenClaw instance running a version prior to 2026.3.22.
2. Attacker crafts malicious environment variables designed to override the package manager’s default settings.
3. The attacker triggers an approved execution request within the OpenClaw environment.
4. Due to the incomplete sanitization, the attacker-controlled environment variables are used by the package manager.
5. The package manager is redirected to the attacker’s infrastructure for package resolution or runtime bootstrap.
6. The attacker’s infrastructure serves trojanized content disguised as legitimate packages or runtime components.
7. OpenClaw executes the trojanized content, granting the attacker initial access to the system.

Impact

Successful exploitation of CVE-2026-41387 can lead to the execution of arbitrary code within the OpenClaw environment. This can result in compromised systems, data breaches, or supply chain attacks. Due to the nature of package management redirection, the impact could extend beyond the initial target, affecting other systems relying on the compromised OpenClaw instance. The vulnerability has a CVSS v3.1 score of 7.8, indicating a high severity.

Recommendation

• Upgrade OpenClaw to version 2026.3.22 or later to remediate the vulnerability described in CVE-2026-41387.
• Implement stricter input validation on environment variables used by OpenClaw, focusing on package manager settings, to prevent redirection attacks.
• Monitor network traffic for connections to unusual or untrusted domains during package resolution or runtime bootstrap, as this may indicate an attempted redirection attack.

]]>highadvisoryvulnerabilitysupply-chainenvironment-variablehttps://feed.craftedsignal.io/briefs/2026-04-openclaw-exec-approval-bypass/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-exec-approval-bypass/OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows attackers to bypass intended execution restrictions by exploiting trust relationships with wrapper carrier executables, leading to privilege escalation and defense evasion.OpenClaw, a software of undetermined function, is vulnerable to an execution approval bypass (CVE-2026-41380) affecting versions prior to 2026.3.28. The vulnerability resides in exec-approvals-allowlist.ts, where the system incorrectly trusts wrapper carrier executables instead of the actual invoked targets. This flaw allows attackers to manipulate positional carrier executable routing through dispatch wrappers. By exploiting this, attackers can establish overly broad allowlist entries, effectively weakening the intended execution approval boundaries. This vulnerability was reported on April 28, 2026, and poses a significant risk by allowing unauthorized code execution.

Attack Chain

1. Attacker gains initial access to a system with OpenClaw installed, potentially through social engineering or exploiting other vulnerabilities.
2. The attacker identifies a dispatch wrapper executable that is already on the allowlist.
3. The attacker crafts a malicious payload to be executed through the identified wrapper.
4. The attacker leverages positional carrier executable routing to pass the malicious payload to the wrapper.
5. OpenClaw’s exec-approvals-allowlist.ts incorrectly trusts the wrapper, adding it to the allow-always list.
6. The attacker executes arbitrary commands using the allowlisted wrapper with the malicious payload, bypassing intended restrictions.
7. The attacker escalates privileges by executing privileged commands through the bypassed execution approval mechanism.
8. The attacker achieves persistence by utilizing the now-trusted wrapper to execute malicious code repeatedly.

Impact

Successful exploitation of CVE-2026-41380 allows attackers to bypass intended execution restrictions within OpenClaw. This can lead to arbitrary code execution, privilege escalation, and persistent malicious activity. The vulnerability allows attackers to effectively weaken the security posture of systems relying on OpenClaw’s execution approval mechanisms, potentially leading to complete system compromise. The precise number of affected installations is unknown, but any system running a vulnerable version of OpenClaw is at risk.

Recommendation

• Upgrade OpenClaw to version 2026.3.28 or later to remediate CVE-2026-41380.
• Implement the Sigma rule “Detect Suspicious OpenClaw Wrapper Execution” to identify potential exploitation attempts.
• Review existing allowlist entries within OpenClaw to identify and remove any overly broad or suspicious entries that may have been created through exploitation of CVE-2026-41380.
• Monitor OpenClaw’s logs for unexpected or unauthorized execution events related to wrapper executables as described in the vulnerability details.

]]>highadvisorycve-2026-41380execution-approval-bypassprivilege-escalationdefense-evasionhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-env-injection/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-env-injection/OpenClaw before 2026.3.24 is vulnerable to environment variable injection, allowing attackers to inject malicious environment variables through crafted workspace configurations in the CLI backend, leading to potential code execution or sensitive data exposure.OpenClaw, a CLI tool, is vulnerable to environment variable injection (CVE-2026-41384) in versions prior to 2026.3.24. The vulnerability resides in the CLI backend runner and allows attackers to inject malicious environment variables into the backend process. This is achieved by crafting malicious workspace configurations. Successful exploitation can lead to arbitrary code execution within the context of the OpenClaw process or exposure of sensitive information handled by the application. This vulnerability poses a significant risk to systems using affected versions of OpenClaw, potentially allowing attackers to compromise the confidentiality, integrity, and availability of the system.

Attack Chain

1. Attacker crafts a malicious OpenClaw workspace configuration file. This file contains specially crafted environment variables designed to inject malicious code.
2. The attacker gains access to a system where OpenClaw is installed, either through local access or by compromising an account that has access to modify OpenClaw workspace configurations.
3. The attacker modifies the existing OpenClaw workspace configuration or creates a new one with the malicious environment variables.
4. The user or system executes a command using the OpenClaw CLI, triggering the backend runner.
5. The OpenClaw CLI backend runner parses the workspace configuration file, including the attacker-controlled environment variables.
6. The backend runner spawns a new process, inheriting the injected environment variables.
7. The injected environment variables cause the spawned process to execute arbitrary code, potentially downloading and executing malware or modifying system settings.
8. The attacker achieves code execution, enabling them to perform various malicious activities such as data exfiltration, privilege escalation, or denial of service.

Impact

Successful exploitation of this vulnerability (CVE-2026-41384) allows attackers to inject arbitrary environment variables, potentially leading to code execution or sensitive data exposure. Given the nature of CLI tools often used in automated scripting and deployment pipelines, this could lead to widespread compromise across multiple systems. The severity is rated as HIGH with a CVSS v3.1 score of 7.8.

Recommendation

• Upgrade OpenClaw to version 2026.3.24 or later to remediate CVE-2026-41384.
• Implement strict access control policies to limit who can modify OpenClaw workspace configurations to prevent unauthorized injection of malicious environment variables.
• Monitor process creation events for unusual processes spawned by OpenClaw, using the OpenClaw Suspicious Child Processes Sigma rule.
• Implement file integrity monitoring on OpenClaw workspace configuration files to detect unauthorized modifications.

]]>highadvisoryenvironment-variable-injectioncode-executioncve-2026-41384https://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/Wed, 29 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.OpenClaw before version 2026.4.2 is susceptible to an arbitrary directory deletion vulnerability (CVE-2026-41383) when operating in mirror mode. An attacker with control over the OpenShell configuration paths, specifically remoteWorkspaceDir and remoteAgentWorkspaceDir, can trigger the deletion of unintended remote directory contents. This is achieved by manipulating these configuration values to point to sensitive directories. The subsequent mirror sync operation replaces the deleted contents with data from the attacker’s workspace, leading to data loss and potential system compromise. This vulnerability allows an attacker to potentially wipe out important data on the remote end.

Attack Chain

1. The attacker gains access to the OpenClaw configuration.
2. The attacker modifies the remoteWorkspaceDir and/or remoteAgentWorkspaceDir configuration values to point to a target directory they wish to delete.
3. The attacker initiates a mirror sync operation.
4. OpenClaw, using the attacker-controlled path, connects to the remote system.
5. OpenClaw deletes the contents of the directory specified by the modified remoteWorkspaceDir or remoteAgentWorkspaceDir.
6. OpenClaw uploads the contents of the attacker’s local workspace to the now-empty remote directory, effectively replacing the original data.
7. The targeted remote directory now contains the attacker’s data instead of the original contents.
8. The attacker achieves arbitrary directory deletion and data replacement, potentially causing significant disruption and data loss.

Impact

Successful exploitation of this vulnerability can lead to arbitrary deletion of files and directories on the remote system where OpenClaw is used in mirror mode. The impact includes potential data loss, service disruption, and the replacement of legitimate data with attacker-controlled content. Given the CVSS v3.1 score of 8.1, this vulnerability is considered high severity due to the potential for significant data integrity and availability impact.

Recommendation

• Upgrade OpenClaw to version 2026.4.2 or later to remediate CVE-2026-41383.
• Monitor OpenClaw configuration files for unauthorized modifications to remoteWorkspaceDir and remoteAgentWorkspaceDir using a file integrity monitoring system.
• Implement strict access controls to OpenClaw configuration files to prevent unauthorized modification of these settings.
• Deploy the Sigma rule to detect suspicious process execution related to modification of openclaw configuration files.

]]>highadvisorycve-2026-41383directory-traversalfile-deletionopenclawhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-privesc/Tue, 28 Apr 2026 19:37:47 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-privesc/OpenClaw before 2026.4.8 contains a privilege escalation vulnerability that allows previously paired nodes to reconnect and execute privileged commands without proper authorization, potentially leading to complete system compromise.OpenClaw, a local assistant system, is vulnerable to a privilege escalation attack. CVE-2026-42432 affects versions prior to 2026.4.8. Attackers who have previously paired a node with the OpenClaw system can bypass re-pairing authentication. This allows them to reconnect with the ability to execute commands that should require operator.admin scope. The vulnerability enables unauthorized execution of privileged commands on the local assistant system, potentially leading to full system compromise.

Attack Chain

1. An attacker initially pairs a node with the OpenClaw system, establishing a legitimate connection.
2. The OpenClaw system is upgraded to a version prior to 2026.4.8, or remains on a vulnerable version.
3. The attacker disconnects the previously paired node.
4. The attacker reconnects the node to the OpenClaw system.
5. Due to the vulnerability, the re-pairing authentication process is bypassed.
6. The attacker exploits the bypassed authentication to send commands to the OpenClaw system.
7. The OpenClaw system processes these commands as if they were authorized by an administrator.
8. The attacker executes privileged commands, gaining unauthorized control over the local assistant system.

Impact

Successful exploitation of this vulnerability allows attackers to execute arbitrary commands with elevated privileges on the OpenClaw system. This can lead to complete compromise of the local assistant system, potentially affecting other connected devices or systems. The vulnerability could be exploited to steal sensitive data, install malware, or disrupt critical services. The impact is high due to the potential for full system takeover.

Recommendation

• Upgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42432.
• Implement network segmentation to limit the impact of compromised OpenClaw systems.
• Monitor OpenClaw logs for unusual command execution patterns after node reconnections, using a rule similar to the provided “Detect OpenClaw Unauthorized Command Execution” Sigma rule.

]]>highadvisoryprivilege-escalationcve-2026-42432https://feed.craftedsignal.io/briefs/2026-04-openclaw-auth-bypass/Tue, 28 Apr 2026 19:37:46 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-auth-bypass/OpenClaw before 2026.4.8 contains an improper authorization vulnerability (CVE-2026-42426) allowing attackers with `operator.write` permissions to bypass node pairing approval and gain unauthorized access to `exec`-capable nodes by exploiting the `node.pair.approve` method which incorrectly accepts the `operator.write` scope instead of the narrower `operator.pairing` scope.OpenClaw versions prior to 2026.4.8 are vulnerable to an improper authorization flaw (CVE-2026-42426). The vulnerability resides within the node.pair.approve method, which erroneously accepts the operator.write scope instead of the intended operator.pairing scope. This oversight enables users possessing operator.write permissions, which are typically less privileged, to circumvent the intended node pairing approval process. Successful exploitation allows unauthorized access to nodes capable of executing commands (exec-capable nodes). This vulnerability was publicly disclosed in April 2026 and presents a significant risk to OpenClaw deployments, potentially leading to unauthorized command execution and data compromise.

Attack Chain

1. Attacker gains operator.write permissions, potentially through compromised credentials or other means.
2. Attacker identifies an exec-capable node that requires pairing.
3. Attacker crafts a request to the node.pair.approve method, using their operator.write credentials.
4. The node.pair.approve method incorrectly validates the operator.write scope, instead of requiring operator.pairing.
5. The node pairing request is approved despite the attacker lacking the proper operator.pairing permission.
6. The attacker establishes a connection to the now-paired exec-capable node.
7. Attacker executes arbitrary commands on the compromised node due to the unauthorized pairing.

Impact

Successful exploitation of CVE-2026-42426 allows attackers with operator.write permissions to bypass node pairing restrictions and gain unauthorized access to exec-capable nodes. This can lead to arbitrary command execution on the affected nodes, potentially leading to data breaches, system compromise, or denial-of-service conditions. The severity of the impact depends on the capabilities and data accessible to the compromised node.

Recommendation

• Upgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42426.
• Monitor OpenClaw logs for attempts to call the node.pair.approve method using accounts with only operator.write permissions. Deploy the Sigma rule to detect this activity.
• Review and enforce strict access control policies to minimize the risk of unauthorized users obtaining operator.write permissions.

]]>highadvisoryprivilege-escalationvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-dos/Tue, 28 Apr 2026 19:37:43 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-dos/OpenClaw before 2026.3.28 is vulnerable to a denial-of-service attack by accepting unbounded concurrent unauthenticated WebSocket upgrades, allowing attackers to exhaust server resources.OpenClaw, in versions prior to 2026.3.28, suffers from a denial-of-service vulnerability due to a lack of pre-authentication budget allocation for WebSocket upgrades. This flaw allows unauthenticated network attackers to initiate a large number of concurrent WebSocket upgrade requests without any resource constraints. By exploiting this, an attacker can exhaust the server’s socket and worker capacity, effectively preventing legitimate clients from establishing WebSocket connections and disrupting normal service operation. This vulnerability poses a risk to any OpenClaw deployment accessible over a network, as it can be exploited without requiring any prior authentication or privileged access.

Attack Chain

1. An unauthenticated attacker identifies an OpenClaw server accessible over the network.
2. The attacker sends a large number of WebSocket upgrade requests to the server. These requests are crafted to initiate the WebSocket handshake process.
3. The OpenClaw server accepts these requests without pre-authentication checks or resource limits.
4. Each incoming WebSocket upgrade request consumes server resources, including sockets and worker threads.
5. The attacker continues to flood the server with upgrade requests, rapidly exhausting available resources.
6. As resources become scarce, the server’s ability to handle legitimate client requests degrades.
7. Eventually, the server’s socket and worker capacity is fully exhausted, leading to a denial-of-service condition.
8. Legitimate clients are unable to establish WebSocket connections, disrupting application functionality.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition, preventing legitimate users from accessing OpenClaw services. The number of affected users depends on the scale of the OpenClaw deployment and the number of concurrent users it typically supports. Organizations relying on OpenClaw for critical functions could experience significant disruptions and potential data loss if the service becomes unavailable. The vulnerability allows a single attacker to disrupt the service without requiring any credentials or prior access.

Recommendation

• Upgrade OpenClaw to version 2026.3.28 or later to remediate the vulnerability (CVE-2026-41399).
• Implement rate limiting on WebSocket upgrade requests to mitigate the impact of malicious requests. Deploy the Sigma rule Detect Excessive WebSocket Upgrade Requests to identify suspicious activity.
• Monitor network traffic for a high volume of WebSocket upgrade requests originating from a single source IP address. Use the Sigma rule Detect High Volume of WebSocket Upgrade Requests from Single IP to detect this pattern.

]]>mediumadvisorydenial-of-servicewebsocketcvehttps://feed.craftedsignal.io/briefs/2026-04-openclaw-symlink/Tue, 28 Apr 2026 00:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-symlink/OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files by uploading a malicious tar archive containing symlinks, leading to arbitrary file write on the remote host.OpenClaw versions before 2026.3.31 are vulnerable to a symlink following issue within the SSH sandbox tar upload functionality. This vulnerability, identified as CVE-2026-41364, allows a remote attacker with the ability to upload tar archives to the OpenClaw instance to potentially escape the intended sandbox environment. By crafting a malicious tar archive containing carefully constructed symbolic links, an attacker can overwrite arbitrary files on the remote host, leading to a compromise of the system’s integrity. This vulnerability was reported and patched in version 2026.3.31. Defenders need to ensure they are running patched versions to mitigate the risk of exploitation.

Attack Chain

1. Attacker authenticates to the OpenClaw instance via SSH, gaining access to the restricted sandbox environment.
2. Attacker crafts a malicious tar archive containing symbolic links pointing outside the intended sandbox directory. These symlinks are designed to target specific files or directories on the host system that the attacker wishes to overwrite.
3. Attacker uploads the malicious tar archive to the OpenClaw instance using the SSH sandbox tar upload functionality.
4. OpenClaw extracts the contents of the uploaded tar archive without properly validating or restricting the target paths of the symbolic links.
5. During extraction, the symbolic links are followed, causing files to be written outside the intended sandbox directory.
6. The attacker overwrites arbitrary files on the remote host with attacker-controlled content.
7. The attacker achieves arbitrary code execution or persistence by overwriting critical system files or configuration files.
8. The attacker escalates privileges by modifying binaries used by privileged users.

Impact

Successful exploitation of this vulnerability allows a remote attacker with low privileges to write arbitrary files on the OpenClaw server. This can lead to a variety of impacts, including arbitrary code execution, privilege escalation, and denial of service. An attacker could potentially gain complete control over the OpenClaw server by overwriting critical system files. Given the potential for complete system compromise, this vulnerability poses a significant risk to organizations using affected versions of OpenClaw.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41364.
• Deploy the Sigma rule “Detect Suspicious Tar Archive Upload with Symlinks” to detect attempts to upload malicious tar archives containing symbolic links.
• Monitor SSH logs for suspicious activity related to tar archive uploads to the OpenClaw instance.

]]>highadvisorysymlinkfile-writesandbox-escapehttps://feed.craftedsignal.io/briefs/2026-04-openclaw-rce/Fri, 24 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-rce/OpenClaw before 2026.3.31 is vulnerable to remote code execution (CVE-2026-41352) because a device-paired node can bypass the node scope gate authentication mechanism, allowing attackers with device pairing credentials to execute arbitrary node commands.OpenClaw before version 2026.3.31 suffers from a remote code execution vulnerability (CVE-2026-41352). This flaw exists because a device-paired node can bypass the node scope gate authentication mechanism. An attacker who has already obtained device pairing credentials can exploit this vulnerability to execute arbitrary node commands on the host system. This occurs because the application doesn’t perform adequate node pairing validation, allowing malicious actors to potentially gain complete control over the affected system if successfully exploited. Defenders should prioritize patching to version 2026.3.31 or later to mitigate this risk.

Attack Chain

1. The attacker gains initial access to the OpenClaw system. This may involve social engineering or other means of obtaining device pairing credentials.
2. The attacker leverages the device pairing credentials to authenticate to a device-paired node.
3. The attacker attempts to execute a node command on the host system.
4. Due to the missing authorization check (CWE-862), the node scope gate authentication mechanism is bypassed.
5. The system incorrectly validates the request, failing to properly verify node pairing.
6. The attacker successfully executes an arbitrary node command on the host system.
7. The attacker escalates privileges, potentially gaining full control over the system.
8. The attacker can then perform malicious activities such as data exfiltration, system compromise, or lateral movement within the network.

Impact

Successful exploitation of CVE-2026-41352 allows an attacker with valid device pairing credentials to execute arbitrary commands on the host system. This can lead to a complete compromise of the OpenClaw system and potentially the entire network. The number of potential victims is dependent on the number of deployments of OpenClaw before version 2026.3.31. The impact includes data breaches, system downtime, and reputational damage.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41352.
• Monitor OpenClaw systems for unauthorized command execution attempts. While no specific IOCs are available, monitor for unexpected process executions originating from the OpenClaw application.

]]>criticaladvisoryrcevulnerabilitycve-2026-41352https://feed.craftedsignal.io/briefs/2026-04-openclaw-csrf/Fri, 24 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-csrf/OpenClaw before 2026.3.31 is vulnerable to cross-site request forgery (CSRF) attacks due to missing browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing attackers to perform unauthorized actions.OpenClaw before version 2026.3.31 is susceptible to Cross-Site Request Forgery (CSRF) attacks. The vulnerability lies in the lack of browser-origin validation within the HTTP operator endpoints when the application operates in trusted-proxy mode. This allows an attacker to craft malicious HTTP requests originating from a user’s browser to perform unauthorized actions within the OpenClaw application. Successful exploitation of this vulnerability enables attackers to execute privileged operations, potentially leading to data modification or unauthorized access to sensitive functionalities. This vulnerability requires the application to be deployed in trusted-proxy mode to be exploitable.

Attack Chain

1. An attacker crafts a malicious HTML page containing a forged HTTP request targeting a vulnerable OpenClaw HTTP operator endpoint.
2. The attacker hosts the malicious HTML page on a website or delivers it through phishing.
3. A victim user, authenticated to the OpenClaw application, visits the malicious HTML page in their browser.
4. The victim’s browser automatically sends the forged HTTP request to the vulnerable OpenClaw endpoint.
5. Because the OpenClaw application lacks proper browser-origin validation, it processes the forged request.
6. The attacker is able to perform unauthorized actions as the authenticated user.
7. The attacker can modify user configurations or exfiltrate data.

Impact

Successful exploitation of this CSRF vulnerability in OpenClaw can lead to unauthorized modification of application settings, data manipulation, or even complete account takeover. While specific victim numbers are unavailable, the impact extends to any organization utilizing OpenClaw in a trusted-proxy deployment scenario. The vulnerability can potentially compromise data integrity and confidentiality, leading to significant operational disruptions.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41347.
• Deploy the Sigma rule below to detect suspicious HTTP requests lacking proper origin validation within your web server logs.
• Implement proper CSRF protection mechanisms, such as synchronizer tokens, in OpenClaw’s HTTP operator endpoints.

]]>mediumadvisorycsrfweb-applicationvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-env-override/Fri, 24 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-env-override/OpenClaw before 2026.3.31 allows attackers to execute arbitrary code by overriding the OPENCLAW_BUNDLED_HOOKS_DIR environment variable using a workspace .env file, enabling the loading of attacker-controlled hook code.OpenClaw versions prior to 2026.3.31 are susceptible to an arbitrary code execution vulnerability, tracked as CVE-2026-41336. This flaw stems from the application’s insecure handling of environment variables. Specifically, the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, which dictates the directory from which OpenClaw loads bundled hooks, can be overridden by a workspace-specific .env file. This allows a malicious actor to craft a .env file within an untrusted workspace that points to a directory containing attacker-controlled hook code. Upon loading the workspace, OpenClaw will execute the malicious code, effectively granting the attacker arbitrary code execution within the application’s context. This vulnerability poses a significant risk to systems utilizing OpenClaw, as it can lead to complete system compromise.

Attack Chain

1. The attacker creates a malicious hook code file (e.g., evil_hook.py) containing arbitrary code to be executed.
2. The attacker creates a directory (e.g., /tmp/evil_hooks) and places the malicious hook code file within it.
3. The attacker crafts a .env file containing the line OPENCLAW_BUNDLED_HOOKS_DIR=/tmp/evil_hooks.
4. The attacker places the malicious .env file into a workspace that a victim user is likely to open within OpenClaw.
5. The victim user opens the workspace within OpenClaw.
6. OpenClaw reads the .env file and overrides the default OPENCLAW_BUNDLED_HOOKS_DIR with the attacker-controlled path /tmp/evil_hooks.
7. OpenClaw loads and executes the malicious hook code from evil_hook.py, granting the attacker arbitrary code execution.
8. The attacker gains control of the OpenClaw process and potentially the underlying system.

Impact

Successful exploitation of CVE-2026-41336 allows an attacker to execute arbitrary code within the context of the OpenClaw application. This could lead to the complete compromise of the affected system, including data theft, modification, or destruction. Given the nature of the vulnerability, any system running a vulnerable version of OpenClaw is at risk if it processes untrusted workspaces. The CVSS v3.1 base score of 7.8 reflects the high potential impact of this vulnerability.

Recommendation

• Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41336.
• Implement strict workspace validation to prevent the loading of malicious .env files.
• Monitor process creations originating from the OpenClaw process for suspicious activity using the OpenClaw Suspicious Process Creation Sigma rule.
• Deploy the OpenClaw Environment Variable Override Sigma rule to detect attempts to override the OPENCLAW_BUNDLED_HOOKS_DIR variable.

]]>highadvisorycvecode-executionenvironment-variable-override