Improper access control in OpenClaw - CVE-2026-41403
Published: April 30, 2026
Vulnerability identifier: #VU128606
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-41403
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass access restrictions for the diffs viewer.
The vulnerability exists due to improper access control in the diffs viewer when handling proxied remote requests while allowRemoteViewer is disabled. A remote attacker can send a proxied request that is misclassified as loopback to bypass access restrictions for the diffs viewer.
Only configurations with allowRemoteViewer disabled are affected.
How to mitigate CVE-2026-41403
Install security update from vendor's website.