CVE-2026-41376

CVE Database · CVE-2026-41376

CVE-2026-41376

· MEDIUMAnalyzed

CVSS v3.1

5.4

CVSS v4.0

2.3

EPSS

0.16%

Published

Apr 28, 2026

Modified

May 1, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root and reply context messages that should be filtered by sender allowlists, bypassing access controls.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Weaknesses (CWE)

CWE-346

Affected Products (1)

openclaw · openclaw (up to 2026.3.31)vulnerable

References (3)

https://github.com/openclaw/openclaw/commit/8a563d603b70ef6338915f0527bee87282c3bad5

Patch

https://github.com/openclaw/openclaw/security/advisories/GHSA-rg8m-3943-vm6q

Vendor Advisory

https://www.vulncheck.com/advisories/openclaw-matrix-thread-context-allowlist-bypass-via-sender-validation

Third Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs