Vulnerabilities ›

CVE-2026-41371

High

CWE-863 — Weakness Type

                    Published: Apr 28, 2026                      ·  Modified: May 4, 2026                      ·  Source: NVD                

CVSS v3

8.5

🔗 NVD Official

📄 Description (English)

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin scope by exploiting improper authorization checks in the chat.send path.

🤖 AI Executive Summary

CVE-2026-41371 is a privilege escalation vulnerability in OpenClaw's chat.send function that allows write-scoped users to perform admin-only session reset operations. Attackers can rotate sessions, archive transcripts, and generate new session IDs without proper authorization, affecting confidentiality and integrity of chat systems. With a CVSS score of 8.5 and no patch currently available, this poses significant risk to organizations using OpenClaw for customer communications and internal messaging.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 1, 2026 16:17

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations in banking (SAMA-regulated institutions), government agencies (NCA oversight), healthcare providers, and telecommunications (STC, Mobily) using OpenClaw for customer service, internal communications, or chat-based transaction systems face significant risk. The vulnerability enables unauthorized session manipulation, potentially exposing sensitive customer data, transaction records, and confidential communications. Financial institutions are particularly at risk due to regulatory requirements under SAMA CSF for session management and audit trails. Government entities face compliance violations under NCA ECC 2024 controls for access control and accountability.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Telecommunications Energy and Utilities E-commerce and Retail Insurance

🎯 MITRE ATT&CK Techniques

T1548 - Abuse Elevation Control Mechanism T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1078 - Valid Accounts T1078.001 - Valid Accounts: Default Accounts T1556 - Modify Authentication Process T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1562 - Impair Defenses T1562.008 - Impair Defenses: Disable or Modify Cloud Logs

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all OpenClaw deployments and identify systems with write-scoped user access to chat.send functionality

2. Implement network segmentation to restrict access to OpenClaw chat.send endpoints to trusted administrative networks only

3. Enable comprehensive audit logging for all chat.send operations, session resets, and transcript archival activities

4. Review access control lists and revoke unnecessary write-scoped permissions for non-administrative users

COMPENSATING CONTROLS (until patch available):

5. Deploy Web Application Firewall (WAF) rules to monitor and block suspicious chat.send requests with session reset parameters

6. Implement API gateway authentication requiring multi-factor authentication for any session management operations

7. Monitor for anomalous patterns: multiple session resets from single user, rapid session ID changes, transcript archival without admin context

8. Establish real-time alerts for unauthorized session operations and escalate to security team

DETECTION RULES:

- Alert on chat.send requests containing session reset/rotation parameters from non-admin accounts

- Monitor for transcript archival operations initiated by write-scoped users

- Track session ID generation frequency anomalies per user account

- Flag API calls combining write scope with admin-level session operations

PATCHING:

9. Monitor OpenClaw security advisories for version 2026.3.28 or later release

10. Prepare upgrade testing environment and establish patching timeline once patch is available

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حصر جميع نشرات OpenClaw وتحديد الأنظمة التي تحتوي على وصول المستخدمين ذوي الصلاحيات المكتوبة إلى وظيفة chat.send

2. تطبيق تقسيم الشبكة لتقييد الوصول إلى نقاط نهاية OpenClaw chat.send للشبكات الإدارية الموثوقة فقط

3. تفعيل تسجيل التدقيق الشامل لجميع عمليات chat.send وإعادة تعيين الجلسات وأنشطة أرشفة النصوص

4. مراجعة قوائم التحكم في الوصول وإلغاء الأذونات المكتوبة غير الضرورية للمستخدمين غير الإداريين



الضوابط البديلة (حتى توفر التصحيح):

5. نشر قواعد جدار حماية تطبيقات الويب (WAF) لمراقبة وحظر طلبات chat.send المريبة التي تحتوي على معاملات إعادة تعيين الجلسة

6. تطبيق مصادقة بوابة API تتطلب المصادقة متعددة العوامل لأي عمليات إدارة الجلسات

7. مراقبة الأنماط الشاذة: إعادة تعيين جلسات متعددة من مستخدم واحد، تغييرات معرف الجلسة السريعة، أرشفة النصوص بدون سياق إداري

8. إنشاء تنبيهات في الوقت الفعلي للعمليات غير المصرح بها للجلسات وتصعيدها إلى فريق الأمان



قواعد الكشف:

- تنبيه على طلبات chat.send التي تحتوي على معاملات إعادة تعيين/تدوير الجلسة من حسابات غير إدارية

- مراقبة عمليات أرشفة النصوص التي يبدأها المستخدمون ذوو الصلاحيات المكتوبة

- تتبع شذوذ تكرار إنشاء معرف الجلسة لكل حساب مستخدم

- وضع علامة على استدعاءات API التي تجمع بين الصلاحيات المكتوبة وعمليات الجلسات على مستوى المسؤول



التصحيح:

9. مراقبة استشارات أمان OpenClaw للإصدار 2026.3.28 أو إصدار لاحق

10. تحضير بيئة اختبار الترقية وإنشاء جدول زمني للتصحيح بمجرد توفر التصحيح

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.9.1.1 - Access control policy and procedures ECC 2024 A.9.2.1 - User registration and de-registration ECC 2024 A.9.4.3 - Password management ECC 2024 A.10.1.1 - Information security event logging ECC 2024 A.10.2.1 - Protection of log information

🔵 SAMA CSF

SAMA CSF 1.1 - Governance and Risk Management SAMA CSF 2.1 - Access Control and Authentication SAMA CSF 2.2 - Privileged Access Management SAMA CSF 3.1 - Logging and Monitoring SAMA CSF 3.2 - Incident Detection and Response

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access control ISO 27001:2022 A.5.16 - Identification and authentication ISO 27001:2022 A.5.23 - Information security for supplier relationships ISO 27001:2022 A.8.1 - User endpoint devices ISO 27001:2022 A.8.2 - Privileged access rights

🟣 PCI DSS v4.0.1

PCI DSS 2.1 - Restrict access to system components PCI DSS 7.1 - Limit access to system components PCI DSS 10.1 - Implement audit logging PCI DSS 10.2 - Implement user identification

🔗 References & Sources 2

🔗

https://github.com/openclaw/openclaw/security/advisories/GHSA-5r8f-96gm-5j6g

disclosure@vulncheck.com

Vendor Advisory

🔗

https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-reset-...

disclosure@vulncheck.com

Third Party Advisory

📦 Affected Products / CPE 1 entries

openclaw:openclaw

📊 CVSS Score

8.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityN — None / Network

IntegrityH — High

AvailabilityL — Low / Local

📋 Quick Facts

Severity High

CVSS Score8.5

CWECWE-863

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-04-28

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-863

🏢 Vendor Advisories

🔗 https://github.com/openclaw/openclaw/security/adviso...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-41371

💬 Comments

Introduce Yourself

Sign In Required