CVE-2026-41378

· NIST NVD ↗

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with trusted paired node credentials can escalate privileges by leveraging unrestricted agent.request dispatch to achieve remote code execution on the gateway.

HIGH
CVSS severity
8.8
CVSS base score
2026-04-28
Published

CWE codes

CWE-862

Affected products

openclaw:openclaw

Sources