Vulnerabilities ›

CVE-2026-41359

High

CWE-269 — Weakness Type

                    Published: Apr 23, 2026                      ·  Modified: Apr 30, 2026                      ·  Source: NVD                

CVSS v3

7.1

🔗 NVD Official

📄 Description (English)

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.

🤖 AI Executive Summary

OpenClaw before version 2026.3.28 contains a privilege escalation vulnerability (CVE-2026-41359) with CVSS 7.1 that allows authenticated operators with write permissions to access sensitive admin-class Telegram configuration and cron persistence settings. Attackers exploiting insufficient access controls can modify persistence mechanisms and administrative functionality, posing significant risk to organizations using OpenClaw for automation and monitoring. No patch is currently available, requiring immediate compensating controls and access restriction measures.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 9, 2026 17:49

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using OpenClaw for infrastructure automation, particularly in government agencies (NCA, CITC), banking sector (SAMA-regulated institutions), and critical infrastructure operators face elevated risk. The vulnerability enables persistence mechanism modification and unauthorized administrative access, potentially compromising security monitoring, incident response capabilities, and system integrity. Energy sector operators (ARAMCO, SEC) and telecommunications providers (STC, Mobily) utilizing OpenClaw for operational automation are particularly vulnerable to supply chain compromise and unauthorized persistence installation.

🏢 Affected Saudi Sectors

Government (NCA, CITC, Ministry of Interior) Banking and Financial Services (SAMA-regulated institutions) Energy and Utilities (ARAMCO, SEC) Telecommunications (STC, Mobily, Zain) Healthcare (MOH, private hospitals) Critical Infrastructure Operators

🎯 MITRE ATT&CK Techniques

T1548 - Abuse Elevation Control Mechanism T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1547 - Boot or Logon Autostart Execution T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1133 - External Remote Services T1021 - Remote Service Session Initiation

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all operator.write credential assignments and restrict to minimum necessary personnel

2. Implement network segmentation isolating OpenClaw send endpoint from untrusted networks

3. Enable comprehensive logging and monitoring of all send endpoint requests with focus on Telegram configuration and cron modifications

4. Review audit logs for unauthorized access to admin-class settings and persistence mechanisms



COMPENSATING CONTROLS:

5. Implement API gateway with role-based access control (RBAC) enforcing operator.write restrictions at network layer

6. Deploy Web Application Firewall (WAF) rules blocking send endpoint requests containing Telegram or cron configuration parameters

7. Establish privileged access management (PAM) solution requiring multi-factor authentication for operator.write credentials

8. Implement file integrity monitoring (FIM) on cron configuration files and Telegram settings



DETECTION RULES:

9. Alert on send endpoint requests with parameters: 'telegram_config', 'admin_settings', 'cron_persistence', 'persistence_mechanism'

10. Monitor for privilege escalation patterns: operator.write credentials accessing admin-class endpoints

11. Track modifications to cron jobs and Telegram configuration files with source attribution

12. Monitor for unusual send endpoint request patterns from operator.write accounts



PATCHING:

13. Subscribe to OpenClaw security advisories for version 2026.3.28+ release

14. Prepare upgrade testing environment immediately upon patch availability

15. Plan emergency patching window with change management approval

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تعيينات بيانات اعتماد operator.write وتقييد الوصول للأشخاص الضروريين فقط

2. تنفيذ تقسيم الشبكة لعزل نقطة نهاية send في OpenClaw عن الشبكات غير الموثوقة

3. تفعيل السجلات الشاملة ومراقبة جميع طلبات نقطة نهاية send مع التركيز على تعديلات إعدادات Telegram و cron

4. مراجعة سجلات التدقيق للوصول غير المصرح إلى الإعدادات الإدارية وآليات الاستمرارية

التدابير التعويضية:

5. تنفيذ بوابة API مع التحكم في الوصول القائم على الأدوار (RBAC) لفرض قيود operator.write على مستوى الشبكة

6. نشر قواعد جدار حماية تطبيقات الويب (WAF) لحجب طلبات نقطة نهاية send التي تحتوي على معاملات إعدادات Telegram أو cron

7. إنشاء حل إدارة الوصول المميز (PAM) يتطلب المصادقة متعددة العوامل لبيانات اعتماد operator.write

8. تنفيذ مراقبة سلامة الملفات (FIM) على ملفات إعدادات cron وإعدادات Telegram

قواعد الكشف:

9. تنبيهات على طلبات نقطة نهاية send بالمعاملات: 'telegram_config'، 'admin_settings'، 'cron_persistence'، 'persistence_mechanism'

10. مراقبة أنماط تصعيد الامتيازات: بيانات اعتماد operator.write تصل إلى نقاط نهاية إدارية

11. تتبع التعديلات على وظائف cron وملفات إعدادات Telegram مع نسب المصدر

12. مراقبة أنماط طلبات نقطة نهاية send غير العادية من حسابات operator.write

التصحيح:

13. الاشتراك في تنبيهات أمان OpenClaw لإصدار 2026.3.28+

14. تحضير بيئة اختبار الترقية فوراً عند توفر التصحيح

15. تخطيط نافذة تصحيح طارئة مع موافقة إدارة التغيير

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.9.2.1 - User access management and privilege escalation prevention ECC 2024 A.9.4.3 - Access control review and monitoring ECC 2024 A.12.4.1 - Event logging and monitoring of administrative functions ECC 2024 A.12.4.3 - Protection of log information

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Software and hardware inventory management SAMA CSF PR.AC-1 - Access control policy and procedures SAMA CSF PR.AC-4 - Access rights and privilege management SAMA CSF DE.CM-1 - System monitoring and anomaly detection

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access control ISO 27001:2022 A.8.2 - Privileged access rights ISO 27001:2022 A.8.3 - Information access restriction ISO 27001:2022 A.12.4.1 - Event logging

🟣 PCI DSS v4.0.1

PCI DSS 7.1 - Limit access to system components by business need-to-know PCI DSS 8.2 - Ensure proper user identification and authentication PCI DSS 10.2 - Implement automated audit trails for all system components

🔗 References & Sources 3

🔗

https://github.com/openclaw/openclaw/commit/b7d70ade3b9900dbe97bd73be9c02e924ff3c986

disclosure@vulncheck.com

Patch

🔗

https://github.com/openclaw/openclaw/security/advisories/GHSA-767m-xrhc-fxm7

disclosure@vulncheck.com

Vendor Advisory

🔗

https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-operator-write-t...

disclosure@vulncheck.com

Third Party Advisory

📦 Affected Products / CPE 1 entries

openclaw:openclaw

📊 CVSS Score

7.1

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityH — High

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.1

CWECWE-269

EPSS0.02%

Exploit No

Patch ✗ No

Published 2026-04-23

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-269

🏢 Vendor Advisories

🔗 https://github.com/openclaw/openclaw/security/adviso...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-41359

💬 Comments

Introduce Yourself

Sign In Required