CVE-2026-41371HIGH 8.5EPSS p16.6%

CVE-2026-41371CVE-2026-41371

Description

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin scope by exploiting improper authorization checks in the chat.send path.

Scoring

CVSS 3.18.5 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
EPSS0.26% probability of exploitation · percentile 16.6% · 2026-06-19T12:03:05Z
Published2026-04-28
Last modified2026-04-28

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g
  2. https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-reset-command

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41344
CVE
CVE-2026-41359
CVE
CVE-2026-35674
CVE
CVE-2026-35660
CVE
CVE-2026-41378
CVE
CVE-2026-41394
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.