Insufficient verification of data authenticity in OpenClaw - CVE-2026-41300
Published: April 30, 2026
Vulnerability identifier: #VU128612
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-41300
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper trust handling in the remote onboarding endpoint selection logic when preserving a discovered endpoint after trust is declined and presenting it in the manual prompt. A remote attacker can cause a malicious endpoint to remain prefilled so that gateway credentials are routed to it to disclose sensitive information.
User interaction is required because the operator must accept the prefilled endpoint in the manual prompt.
How to mitigate CVE-2026-41300
Install security update from vendor's website.