JustAppSec
Back to news

Unauthenticated routes inherit operator write scopes in openclaw

1 min readPublished 28 Apr 2026Source: CVEProject (cvelistV5)
CVE-2026-41394NewsAI SecurityIdentity

TL;DR - In openclaw before 2026.3.31, HTTP routes tagged auth:"plugin" run with operator runtime write scopes regardless of whether authentication succeeded. No credentials needed. Treat it as unauthenticated access to privileged runtime actions and patch immediately.

What happened

openclaw (npm package pkg:npm/openclaw) is an autonomous AI agent runtime. CVE-2026-41394 is an authorisation bypass: routes marked auth:"plugin" are granted operator runtime write scopes before any authentication decision is made. An unauthenticated caller can hit those routes and trigger privileged runtime actions that are supposed to be operator-only.

ItemDetail
Affected componentopenclaw plugin-auth HTTP routes
Affected versions< 2026.3.31
Fixed version2026.3.31
SeverityCVSS v4.0 8.8 (High)
CVSS vector (v4.0)CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Scope inheritance on pre-auth routes is a well-worn path to remote control of automation surfaces. If openclaw sits near build pipelines, deployment hooks, or secrets-bearing workflows, the blast radius is larger than a typical API bug.

Who is impacted

  • Any deployment running the npm package openclaw at a version < 2026.3.31.
  • Environments where OpenClaw's HTTP surface is reachable from untrusted networks.
  • Teams treating plugin-auth routes as a hard boundary before privileged runtime actions become possible.

What to do now

  • Patch to 2026.3.31 or later. The CVE record marks this version as unaffected.
  • Inventory every place openclaw is installed: lockfiles, CI images, deployed containers. Confirm nothing is running a < 2026.3.31 build.
  • While rolling out the fix:
    • Restrict network access to OpenClaw's HTTP endpoints at the perimeter.
    • Monitor for unexpected calls to plugin-auth routes and anomalous privileged runtime activity.
  • If the service was reachable before patching, rotate all credentials and tokens accessible to the OpenClaw runtime, scoped to your deployment's privilege model.

Additional Information

  • GitHub Security Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-mhgq-xpfq-6r66
  • Patch commit: https://github.com/openclaw/openclaw/commit/2a1db0c0f1fa375004a95ba0ef030534790a6d47
  • VulnCheck advisory: https://www.vulncheck.com/advisories/openclaw-unauthorized-operator-scope-access-in-unauthenticated-plugin-auth-routes

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.