CVE-2026-41299

HIGH

OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard

Title source: cna

Description

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket handshake rather than verified authorization state. Authenticated operator clients can spoof ACP identity labels and inject reserved provenance fields intended only for the ACP bridge by manipulating client metadata during connection.

References (2)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-6xg4-82hv-cp6f

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-client-identity-spoofing-in-chat-send-gateway-provenance-guard

Scores

CVSS v3 7.1

EPSS 0.0006

EPSS Percentile 17.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-807

Status published

Products (4)

npm/openclaw 0 - 2026.3.28npm

OpenClaw/OpenClaw < 2026.3.28

openclaw/openclaw < 2026.3.28

OpenClaw/OpenClaw 2026.3.28

Published Apr 21, 2026

Tracked Since Apr 21, 2026