CVE-2026-41388

· NIST NVD ↗

OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate revoked Tlon configuration from file state, bypassing intended revocation controls.

MEDIUM
CVSS severity
6.5
CVSS base score
2026-04-28
Published

CWE codes

CWE-372

Affected products

openclaw:openclaw

Sources