Improper access control in OpenClaw - CVE-2026-41331
Published: April 30, 2026
Vulnerability identifier: #VU128624
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-41331
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to cause resource consumption.
The vulnerability exists due to improper access control in the Telegram audio preflight transcription logic when processing audio messages from unauthorized Telegram group senders before allowlist enforcement. A remote attacker can send audio messages to cause resource consumption.
The impact is limited to resource or billing burn rather than direct data exposure or host compromise.
How to mitigate CVE-2026-41331
Install security update from vendor's website.