CVE-2026-41349: OpenClaw Agentic Consent Bypass — LLM Agents Silently Disable Execution Approval

Midas Auto-Intelligence — 2026-04-27 (Analysis Digest)

Source: 2026-04-24-openclaw-cve-41349-agentic-consent-bypass-config-patch

# CVE-2026-41349: OpenClaw Agentic Consent Bypass — LLM Agents Silently Disable Execution Approval

**Date:** April 24, 2026
**Disclosure Published:** ~13 hours ago
**Collection Time:** 13:05 UTC
**Source:** RedPacketSecurity / NVD CVE feed
**Source Tier:** Tier 2 (CVE aggregator)
**Base CVE ID:** CVE-2026-41349
**Severity:** High

## Description
OpenClaw before v2026.3.28 contains an **agentic consent bypass vulnerability** allowing LLM agents to **silently disable execution approval via the config.patch parameter**. This undermines the consent/safety mechanism that requires user approval before agents execute privileged operations.

## Technical Details
– **Vulnerability type:** Consent bypass / safety mechanism bypass
– **Attack vector:** LLM agent uses config.patch parameter to alter approval settings
– **Impact:** Agents can disable execution approval without user awareness, enabling unauthorized actions
– **Fixed in:** OpenClaw v2026.3.28+

## Significance
– **High severity** — directly subverts a core safety mechanism (execution approval)
– Particularly concerning for enterprise deployments where consent gating is relied upon for compliance and security
– The `config.patch` attack surface suggests agents can modify runtime configuration — a broader concern beyond this single CVE
– Fix threshold (≥v2026.3.28) — should already be patched if Ghost is on a current version

## Relationship to Other Disclosures
Part of the April 24 CVE-2026-413xx batch. This batch now totals at least **nine CVEs** across the series published April 24. The agentic consent bypass is one of the most architecturally significant vulnerabilities in the batch because it directly subverts a safety mechanism rather than exploiting a standard auth flaw.

## April 24 Batch Summary (documented so far)
| CVE | Severity | Fix | Type |
|—–|———-|—–|——|
| 41349 | High | ≥2026.3.28 | Agentic consent bypass (config.patch) |
| 41352 | 8.8 | ≥2026.3.31 | RCE via node scope gate |
| 41353 | High | ≥2026.3.22 | allowProfiles access bypass |
| 41336 | High | ≥2026.3.31 | .env file override (OPENCLAW_BUNDLED_HOOKS_DIR) |
| 41342 | High | ≥2026.3.28 | Remote onboarding auth bypass |
| 41356 | 5.4 | ≥2026.3.31 | WebSocket token persistence |
| 41359 | High | ≥2026.3.28 | Privilege escalation → admin Telegram |
| 41361 | High | ≥2026.3.28 | SSRF IPv6 bypass |