7.1

CVE-2026-41379

OpenClaw < 2026.3.28 - Privilege Escalation via chat.send to Admin-Class Talk Voice Config

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Talk Voice configuration persistence. Attackers with operator.write privileges can exploit the chat.send endpoint to reach and modify sensitive voice configuration settings intended for administrators only.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenClawOpenClaw SwPlatformnode.js Version < 2026.3.28
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.151
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
disclosure@vulncheck.com 7.1 2.8 4.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
disclosure@vulncheck.com 7.1 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/openclaw/openclaw/security/advisories/GHSA-3q42-xmxv-9vfr
Vendor Advisory
https://github.com/openclaw/openclaw/commit/e34694733fc64931ed4a543c73d84ad3435d5df1
Patch
https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-to-admin-class-talk-voice-config
Third Party Advisory