CVE-2026-41349: OpenClaw Agentic Consent Bypass Allows Unauthorized Agent Execution Without User Approval
Date: 2026-04-24
Tags: malicious-tool
Executive Summary
OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security controls and execute unauthorized operations without user consent. CVE-2026-41349 is a High severity vulnerability (CVSS 8.8). This represents a critical architectural weakness in agentic AI systems where approval controls can be circumvented by malicious prompts or compromised configurations.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | CVE-2026-41349 Exploitation Window |
| Attribution | Multiple potential threat actors; proof-of-concept exploitation likely imminent (confidence: low) |
| Target | OpenClaw instances in production environments with tool/action execution permissions |
| Vector | Malicious agent prompts or configuration injection via config.patch parameter |
| Status | active |
| First Observed | 2026-04-24 |
Detailed Findings
If your OpenClaw agents are used to perform actions (integrations, tool execution, automated workflows), consent bypass undermines one of the last control points preventing "agentic" misuse. Even without direct data theft, the impact on integrity and availability suggests real-world disruption is plausible. The attack is network-reachable with low complexity and no user interaction, so exploitation can start from an external request into an agent endpoint. With low privileges required, an attacker only needs access to a way to trigger agent behaviour (e.g., API call, job submission, webhook) and supply/alter the relevant patch configuration to disable approvals. Because Scope is unchanged and UI is none, lateral movement depends more on what the agent can already reach than on exploiting other vulnerabilities. This vulnerability is particularly dangerous in multi-tenant or cloud-exposed OpenClaw deployments where agents have integrated access to business tools.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Abuse Elevation Control Mechanism | T1548 | Bypass of approval control mechanism via config.patch parameter manipulation |
| Execution | T1072 | Unauthorized execution of agent actions (tool calls, code execution, automations) after consent bypass |
IOCs
Domains
_OpenClaw versions prior to 2026.3.28 are vulnerable; attack vector: config.patch parameter in agent API requests_
Full URL Paths
_OpenClaw versions prior to 2026.3.28 are vulnerable; attack vector: config.patch parameter in agent API requests_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
openclawDetection Recommendations
Monitor OpenClaw agent API requests for presence of config.patch parameters or config modification attempts. Alert on any agent execution that occurs without corresponding approval/confirmation events in the same session. Implement mandatory approval logging and verify all approvals are recorded before tool execution begins. Use network segmentation to restrict OpenClaw API access to trusted internal networks. Implement strict input validation on config parameters to reject any attempt to modify approval settings. Upgrade all OpenClaw deployments to version 2026.3.28 or later immediately.
References
- [The Hacker Wire] CVE-2026-41349 - OpenClaw Consent Bypass Vulnerability (2026-04-24) — https://www.thehackerwire.com/vulnerability/CVE-2026-41349/
- [Red Packet Security] CVE Alert: CVE-2026-41349 - OpenClaw (2026-04-24) — https://www.redpacketsecurity.com/cve-alert-cve-2026-41349-openclaw-openclaw/