CVE-2026-41339

· NIST NVD ↗

OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.

MEDIUM
CVSS severity
4.3
CVSS base score
2026-04-23
Published

CWE codes

CWE-497

Affected products

openclaw:openclaw

Sources