← back
CVE-2026-41349

OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch

CVSS 8.7 HIGHEPSS 0.5%CWE-862
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
OpenClaw · OpenClaw

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/openclaw/openclaw/commit/76411b2afc4ae721e36c12e0ea24fd23e2fed61ehttps://github.com/openclaw/openclaw/security/advisories/GHSA-v3qc-wrwx-j3pwhttps://www.vulncheck.com/advisories/openclaw-agentic-consent-bypass-via-config-patch