CVE-2026-41359
HIGHOpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence
Title source: cnaDescription
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the send endpoint. Attackers with operator.write credentials can exploit insufficient access controls to reach sensitive administrative functionality and modify persistence mechanisms.
Scores
CVSS v3
7.1
EPSS
0.0002
EPSS Percentile
5.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Details
CWE
CWE-269
Status
published
Products (2)
OpenClaw/OpenClaw
< 2026.3.28
OpenClaw/OpenClaw
2026.3.28
Published
Apr 23, 2026
Tracked Since
Apr 24, 2026