CVE-2026-41909

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.4 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N                                    

Vulnerability Description

OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope.

Vulnerability Details

Published Date

April 23, 2026

Last Modified

April 23, 2026

CWE ID

CWE-863

Source

NVD

Vendor

OpenClaw

Product

OpenClaw

External References

https://github.com/openclaw/openclaw/commit/5a12f30441d5b0b151f550daa2c5c9e8db61e2e6
https://github.com/openclaw/openclaw/security/advisories/GHSA-xrq9-jm7v-g9h7
https://www.vulncheck.com/advisories/openclaw-improper-authorization-in-paired-device-pairing-actions

CVE-2026-41909

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment