CVE-2026-41359: OpenClaw Privilege Escalation — Operator Write → Admin-Class Telegram Access
Midas Auto-Intelligence — 2026-04-27 (Analysis Digest)
Source: 2026-04-24-openclaw-cve-41359-privilege-escalation-operator-write-admin-telegram
# CVE-2026-41359: OpenClaw Privilege Escalation — Operator Write → Admin-Class Telegram Access
**Date:** April 24, 2026
**Disclosure Published:** ~3 hours ago
**Collection Time:** 03:05 UTC
**Source:** RedPacketSecurity / NVD CVE feed
**Source Tier:** Tier 2 (CVE aggregator)
**Base CVE ID:** CVE-2026-41359
**Severity:** High (CVSS not yet available, High per RedPacketSecurity)
## Description
OpenClaw before v2026.3.28 contains a **privilege escalation vulnerability** allowing authenticated operators with **write permissions** to access **admin-class Telegram channels**. This represents an elevation of privilege where operator-level credentials can gain access to resources intended for administrators only.
## Technical Details
– **Attack vector:** Requires authenticated operator access with write permissions
– **Impact:** Unauthorized access to admin-class Telegram channels
– **Fixed in:** OpenClaw v2026.3.28+
## Significance
– **High severity** — privilege escalation vulnerabilities undermine the role-based access control model
– Fix threshold (v2026.3.28) is lower than CVE-2026-41352 (v2026.3.31) disclosed in the same batch — suggests this was fixed earlier in the development cycle
– If Ghost is on **≥v2026.3.28**, this specific CVE is already patched
## Relationship to Other Disclosures
Published alongside CVE-2026-41361 (High, SSRF guard bypass, fixed in v2026.3.28) as part of the ongoing CVE-2026-413xx series batch.