CVE-2026-41359

· NIST NVD ↗

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.

HIGH
CVSS severity
7.1
CVSS base score
2026-04-23
Published

CWE codes

CWE-269

Affected products

openclaw:openclaw

Sources