OpenClaw CVE Batch April 2026: Eight Critical Vulnerabilities Every Operator Needs to Know

ByL.B. Kaelin

OpenClaw CVE Batch April 2026: Eight Critical Vulnerabilities Every Operator Needs to Know

On April 24, 2026, the OpenClaw project released an emergency patch addressing eight CVEs spanning authentication bypass, remote code execution, privilege escalation, and sandbox escape. This is the largest coordinated vulnerability disclosure in the project’s history. If you operate an OpenClaw instance on a VPS, home server, or corporate network, your deployment is reachable by anyone scanning for default ports. Here is what each vulnerability does, who is at risk, and exactly what to do about it.

Why This OpenClaw CVE 2026 Batch Matters

OpenClaw has grown to an estimated 3 million active installs across personal workstations, cloud VPS instances, and managed on-premise deployments. Its architecture is agentic by design: nodes connect to a gateway over WebSockets, agents execute code autonomously, and configuration flows from the gateway to every connected node. This trust model is what makes OpenClaw powerful. It is also what makes a chain of vulnerabilities in the gateway, node scope, and privilege layers an existential security event for every operator.

In March 2026, security researchers at Bissa Labs disclosed findings of a trojan horse agent campaign that compromised approximately 28,000 OpenClaw nodes through malicious plugin distribution. TechRadar and BleepingComputer covered the story. The April batch of CVEs does not describe a single campaign. It describes fundamental flaws in OpenClaw’s authorization, sandbox, and transport layers that a motivated attacker could chain into full gateway compromise. The 2026-4-24 release fixes all eight issues. Operators still on any earlier build should treat their deployments as potentially exposed.

The Eight CVEs

CVE-2026-41342: Remote Onboarding Authentication Bypass

Severity: Critical

What it does: An unauthenticated remote attacker can complete the node onboarding handshake without a valid bootstrap token. The gateway accepts specially crafted WebSocket upgrade requests that skip token validation entirely, granting the connecting client a fully provisioned node session.

Who is at risk: Any gateway exposed to the internet with remote onboarding enabled (the default for VPS and Tailnet deployments).

Fix: Update to openclaw 2026-4-24. As a temporary workaround, disable remote onboarding by setting allowRemoteOnboarding: false in your gateway configuration, or restrict access via firewall rules to known IP ranges.

CVE-2026-41349: Agentic Consent Bypass via Config Patch

Severity: Critical

What it does: An attacker with operator-level access to the gateway can push a configuration patch that disables agentic consent checks for specific plugins. Once applied, agents can execute high-risk actions (file system writes, network calls, shell commands) without the end user’s consent dialog being shown. The consent system was designed as a mandatory gate. This patch bypasses it silently.

Who is at risk: Multi-user gateways where operators and end users have distinct roles. Single-user deployments are also at risk if an attacker gains any write access to the gateway config.

Fix: Update to 2026-4-24. The patch validates that consent configuration mutations are authenticated with admin-level credentials and rejects config patches that strip consent requirements from the active plugin set.

CVE-2026-41352: Node Scope Gate Remote Code Execution

Severity: Critical

What it does: The node scope gate, which restricts which system commands an agent can run on its host, contains an argument injection vulnerability. A crafted scope policy can escape the defined command whitelist and execute arbitrary shell commands on the node’s operating system. This is a sandbox escape delivered through the gateway’s policy engine.

Who is at risk: All nodes connected to gateways running vulnerable versions. The attacker can be remote if chained with CVE-2026-41342 or CVE-2026-41353.

Fix: Update to 2026-4-24. The patch sanitizes all arguments passed through scope gate evaluation and removes the ability to inject separator characters through policy strings.

CVE-2026-41353: Access Control Bypass via allowProfiles

Severity: High

What it does: The allowProfiles configuration option, intended to restrict which user profiles can access specific gateway features, does not enforce its restrictions at the API middleware layer. An authenticated user with a disallowed profile can directly call the protected endpoints by crafting API requests that the middleware does not properly filter. The profile check is only applied in the UI layer.

Who is at risk: Any gateway using profile-based access controls to segregate user capabilities. This includes teams that set up read-only profiles, operator-only endpoints, or admin-only plugin management through allowProfiles.

Fix: Update to 2026-4-24. The patch moves profile enforcement into the API middleware so that all requests, regardless of origin, are checked against the caller’s profile before reaching the handler.

CVE-2026-41355: Mirror Mode Sandbox Code Execution

Severity: Critical

What it does: Mirror mode is a debugging and inspection feature that allows an operator to view the full internal state of a running agent, including memory, variable values, and execution traces. An attacker who has obtained operator access to a gateway can inject malicious code through the mirror mode inspection interface that executes inside the target agent’s sandbox, bypassing the normal code submission pipeline and its associated consent checks.

Who is at risk: Gateways where mirror mode is enabled (enabled by default for debugging) and where an attacker has already achieved operator-level access to any extent.

Fix: Update to 2026-4-24. The patch restricts mirror mode to read-only inspection of agent state and removes the code injection path from the inspection interface.

CVE-2026-41356: WebSocket Session Token Rotation Failure

Severity: High

What it does: OpenClaw’s WebSocket transport does not rotate session tokens after initial authentication. If an attacker captures a session token during the handshake (via network sniffing, a compromised CA, or a malicious plugin already present on the node), that token remains valid indefinitely. There is no built-in expiration, no rotation on reconnection, and no mechanism to revoke individual sessions without restarting the entire gateway.

Who is at risk: All deployments using WebSocket transport. This is effectively every OpenClaw installation using default networking.

Fix: Update to 2026-4-24. The patch implements token rotation on every reconnect and sets a maximum session lifetime after which the token must be renegotiated.

CVE-2026-41359: Privilege Escalation (Operator Write to Admin via Telegram)

Severity: Critical

What it does: The Telegram chat integration, which allows operators to control their gateway through a Telegram bot, does not properly validate the role of the user issuing administrative commands. An operator who has write access to the Telegram integration configuration can elevate their own privileges to admin by issuing a specific command sequence through the bot, bypassing the gateway’s role hierarchy entirely.

Who is at risk: Any gateway with the Telegram integration enabled. The attacker must first obtain operator-level credentials or have write access to the integration config.

Fix: Update to 2026-4-24. The patch enforces admin-level role checks on all Telegram commands that mutate gateway configuration or user roles. The integration now rejects privilege elevation attempts unless the request originates from an already-authenticated admin session.

CVE-2026-41361: SSRF Guard Bypass via IPv6 Special-Use Ranges

Severity: High

What it does: OpenClaw’s Server-Side Request Forgery (SSRF) protection is designed to prevent agents from making HTTP requests to internal network ranges (127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). However, the guard does not check IPv6 addresses against the equivalent special-use ranges, including the IPv4-mapped IPv6 range (::ffff:0:0/96), loopback (::1/128), unique local addresses (fc00::/7), and link-local addresses (fe80::/10). An agent’s SSRF guard can be bypassed by requesting an internal service using its IPv6 representation.

Who is at risk: All deployments. Any agent with network access can probe internal infrastructure by specifying IPv6 addresses that resolve to internal IPv4 services.

Fix: Update to 2026-4-24. The patch extends the SSRF guard to block all IPv6 special-use ranges matching the IPv4 block list, including IPv4-mapped IPv6 addresses, loopback, ULA, and link-local ranges.

Earlier Batch Context

The April 2026 batch follows a smaller set of disclosures in February 2026 (CVE-2026-41295 through CVE-2026-41302) that received less operator attention. Those earlier vulnerabilities included:

  • CVE-2026-41295: Trust boundary violation in the plugin loader. A plugin could read another plugin’s runtime memory because process isolation was not enforced.
  • CVE-2026-41296 through CVE-2026-41299: A cluster of SSRF vulnerabilities in the built-in HTTP tool, the webhook receiver, an OAuth callback handler, and the asset proxy. Each allowed an agent to make unauthorized requests to internal infrastructure.
  • CVE-2026-41302: An authentication bypass in the REST API that allowed TOC/TOU (time-of-check/time-of-use) attacks. An attacker could swap a valid session token between the check and the actual API call, executing actions under a different user’s identity.

These earlier CVEs were patched in the 2026-2-15 release. Operators who did not apply that update are exposed to both the February and April batches. The trojan horse campaign reported by TechRadar in March exploited a subset of these February vulnerabilities combined with plugin distribution channels.

What Operators Should Do Right Now

  1. Update to openclaw 2026-4-24 immediately. Run openclaw update on your gateway host, then restart the gateway service with openclaw gateway restart. Verify the new version with openclaw version.
  2. Update all connected nodes. Each node must run the same 2026-4-24 release to receive the scope gate fix and token rotation changes. Run openclaw node update on every node.
  3. Rotate all bootstrap tokens and session keys. After updating, regenerate bootstrap tokens with openclaw token rotate and distribute new tokens to authorized nodes. Assume old tokens may be compromised.
  4. Audit your gateway logs for unauthorized access. Look for failed onboarding attempts (CVE-2026-41342), unusual config patch events (CVE-2026-41349), and Telegram command sequences from unexpected users (CVE-2026-41359).
  5. Disable remote onboarding if not absolutely required. Set allowRemoteOnboarding: false in gateway config and use VPN or Tailscale for node connectivity.
  6. Disable mirror mode in production. Set mirrorMode: false unless actively debugging. Re-enable only when needed and disable immediately after.
  7. Review all installed plugins for signs of tampering. Compare plugin checksums against the OpenClaw plugin registry. Remove any plugins not on the registry.
  8. Set up external monitoring. Configure a log aggregator (Loki, DataDog, or a simple syslog forwarder) to capture gateway logs off-host. On-host logs can be altered by an attacker who gains node-level access.
  9. If you run the Telegram integration, review the user role assignments. Ensure no operator has been elevated to admin without your knowledge.
  10. Test IPv6 SSRF guard. After updating, verify that agents cannot reach http://[::1]:8080 or http://[::ffff:127.0.0.1]:8080 from inside the sandbox.

Sources

Source Links

Related Reading on Red Rook AI

Similar Posts