OpenClaw — Six CVEs Cover Agentic Consent Bypass, RCE, SSRF, and Authorization Gaps

AI relevance: OpenClaw is a widely deployed AI agent framework — these vulnerabilities directly affect how LLM agents execute commands, authenticate nodes, and filter message context in production agent infrastructure.

Between late March and early April 2026, six CVEs were published against the OpenClaw AI agent platform, ranging from agentic consent bypass to remote code execution and SSRF guard failures. The vulnerabilities span different OpenClaw sub-systems and all were patched in subsequent releases.

The Vulnerabilities

• CVE-2026-41349 (CVSS 8.8, High) — Agentic consent bypass. The config.patch parameter allowed LLM agents to silently disable exec.approval, removing the human-in-the-loop gate on command execution. Affected versions: before 2026.3.28.
• CVE-2026-41352 (CVSS 8.8, High) — RCE via device-paired node. Device-paired nodes could bypass the node scope gate authentication, executing arbitrary node commands on the host without proper pairing validation. Affected versions: before 2026.3.31.
• CVE-2026-41353 (CVSS 8.1, High) — Access control bypass in allowProfiles. Attackers could circumvent profile restrictions to use disallowed model profiles. Affected versions: before 2026.3.22.
• CVE-2026-41361 (CVSS 7.1, High) — SSRF guard bypass. The SSRF filter failed to block four IPv6 special-use ranges, enabling server-side request forgery. Affected versions: before 2026.3.28.
• CVE-2026-41358 (CVSS 5.4, Medium) — Slack thread sender allowlist bypass. Non-allowlisted senders could inject messages into agent context via allowlisted user replies in Slack threads. Affected versions: before 2026.4.2.
• CVE-2026-41348 (CVSS 5.4, Medium) — Discord slash command authorization bypass. Discord slash command and autocomplete paths failed to enforce group-based access controls. Affected versions: before 2026.3.31.

Why It Matters

• The consent bypass (CVE-2026-41349) is especially dangerous in agent platforms — removing execution approval means an LLM can run arbitrary commands without human oversight, turning any prompt injection into full host compromise.
• The node-scoped RCE (CVE-2026-41352) affects multi-node deployments where device pairing is the trust boundary. Once credentials leak, the scope gate provided no additional defense-in-depth.
• The SSRF IPv6 gap (CVE-2026-41361) illustrates a common pattern: blocklists that cover IPv4 but miss IPv6 special ranges (::1, fc00::/8, fe80::/10, etc.) leave SSRF protections incomplete.
• Both messaging platform CVEs (Slack and Discord) show that agent context filtering must account for indirect injection paths — not just direct messages, but thread replies and autocomplete interactions.

What to Do

• Upgrade OpenClaw to the latest version (at minimum 2026.4.2 to cover all six CVEs).
• If using exec.approval as a security control, audit historical logs for any period when config.patch may have been manipulated by agent turns.
• Review node pairing credentials in multi-node setups — rotate any that may have been exposed before the 2026.3.31 patch.
• Validate SSRF filters against both IPv4 and IPv6 special-use ranges in any agent platform that fetches external URLs.
• For Slack/Discord integrations, verify that sender allowlists cover threaded replies and autocomplete interactions, not just direct messages.

Sources

• CVE-2026-41349 — Agentic Consent Bypass
• CVE-2026-41352 — RCE via Device-Paired Node
• CVE-2026-41353 — allowProfiles Bypass
• CVE-2026-41361 — SSRF Guard Bypass
• CVE-2026-41358 — Slack Thread Allowlist Bypass
• CVE-2026-41348 — Discord Authorization Bypass