CVE-2026-41379

HIGH

OpenClaw < 2026.3.28 - Privilege Escalation via chat.send to Admin-Class Talk Voice Config

Title source: cna
STIX 2.1

Description

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Talk Voice configuration persistence. Attackers with operator.write privileges can exploit the chat.send endpoint to reach and modify sensitive voice configuration settings intended for administrators only.

References (3)

Scores

CVSS v3 7.1
EPSS 0.0002
EPSS Percentile 5.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (2)
OpenClaw/OpenClaw < 2026.3.28
OpenClaw/OpenClaw 2026.3.28
Published Apr 28, 2026
Tracked Since Apr 29, 2026