Home / Vulnerability Intelligence / CVE-2026-41386

CVE-2026-41386 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 28, 2026

OpenClaw - Privilege Escalation

Published: April 28, 2026Updated: April 28, 2026Remote Exploitable

Overview

OpenClaw < 2026.3.22 contains a privilege escalation caused by unbound bootstrap setup codes to device roles and scopes during pairing, letting attackers escalate privileges during first-use device pairing, exploit requires first-use device pairing.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 2.8%(Probability of exploitation in next 30 days)

Impact

Attackers can escalate privileges beyond intended roles during device pairing, potentially gaining unauthorized access or control.

Mitigation

Update to version 2026.3.22 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 28, 2026

🔴 CVE-2026-41386 - Critical (9.1) OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during first-use device pairing to escalate privileges... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-41386/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-41386
Severity: Critical
CVSS Score: 9.1
Type: broken_access_control
Status: unconfirmed
EPSS: 2.8%
Social Posts: 1

CWE

CWE-648

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

2.8%Probability of exploitation in the next 30 days