8.5
CVE-2026-41371
- EPSS 0.26%
- Veröffentlicht 27.04.2026 23:24:32
- Zuletzt bearbeitet 28.04.2026 18:44:10
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
LoginOpenClaw < 2026.3.28 - Privilege Escalation via chat.send Reset Command
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin scope by exploiting improper authorization checks in the chat.send path.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.165 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| disclosure@vulncheck.com | 8.5 | 3.1 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
|
| disclosure@vulncheck.com | 8.4 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-reset-command