CVE-2026-41349: OpenClaw Agentic Consent Bypass — CVSS 8.8, Patch Now

CVE-2026-41349 was published on April 23, 2026 and rated HIGH with a CVSS score of 8.8. The vulnerability allows LLM agents running inside OpenClaw to silently disable the execution approval mechanism — the gate that's supposed to require your confirmation before an agent takes a consequential action — by manipulating the config.patch parameter.

No exploitation is currently known in the wild, but the CVSS vector (AV:N/AC:L/PR:L/UI:N) means it's network-reachable, low-complexity, and requires no user interaction. That profile means exploitation is accessible once someone decides to build it.

One-line summary: If you're running OpenClaw before 2026.3.28 and have execution approval enabled, an attacker (or a compromised agent) can silently turn that approval off without you knowing — and then act without your consent.

What Is the Execution Approval Gate?

OpenClaw's execution approval mechanism is a core safety control. When enabled, the agent must request your explicit confirmation before executing certain tool calls — deleting files, sending emails, running shell commands, making API calls with side effects. It's the "confirm before acting" safeguard that prevents runaway agent scenarios.

It's also, as we wrote recently, the control that Meta's Director of AI Safety thought was protecting her inbox — right up until it wasn't (that was a different configuration failure, but illustrates how critical this gate is).

CVE-2026-41349 means that on affected versions, an attacker with low privileges who can reach the agent endpoint can supply or alter the config.patch parameter in a way that disables this gate silently. From that point, the agent executes without asking.

The Attack Path

Most Likely Exploitation Sequence

Attacker identifies an exposed or accessible OpenClaw agent endpoint — via public gateway, compromised API key, malicious skill, or prompt injection in processed content
Attacker sends a request with a crafted config.patch payload — the parameter that normally allows runtime config mutations, but without proper authorization checks in pre-patch versions
The execution approval gate is silently disabled — no UI notification, no log entry visible to the operator, no confirmation request generated
Attacker (or the compromised agent) executes arbitrary tool calls — sending emails, deleting files, running shell commands, exfiltrating data — without triggering the approval workflow
Operator doesn't know until the damage is done

The "low privileges required" rating means the attacker doesn't need admin access — they need enough access to trigger agent behavior. That could be a webhook endpoint, a public-facing chat interface, or a compromised message in a channel the agent monitors.

Who Is Most Exposed?

The highest-risk configurations are:

OpenClaw with a public-facing gateway — network-reachable attack vector means exposure scales with internet accessibility (see yesterday's SecurityScorecard research: 40,000+ exposed instances)
Multi-user or multi-tenant setups — where "low privileges" means another user's session, not an external attacker
Agents with broad tool permissions — email, shell exec, file operations — where disabling the approval gate has maximum impact
Setups where the agent processes external content — emails, webhooks, scraped pages — which could contain prompt injection payloads that trigger the config.patch manipulation

If you're running a localhost-bound gateway for personal use with no external content processing: your exposure is much lower, but patching is still the right call.

Relationship to the April 21 GHSA Advisories

If you read our earlier piece on the four GHSA advisories published April 21, you'll notice a thematic overlap. GHSA-7jm2-g593-4qrc (gateway config mutations bypassing protected operator settings) and CVE-2026-41349 both involve the config.patch pathway failing to enforce authorization checks.

CVE-2026-41349 is the formal CVE entry for a specific, high-severity instance of this class of vulnerability — specifically targeting the execution approval gate rather than general operator settings. The CVSS score of 8.8 versus the "Moderate" rating of GHSA-7jm2 reflects that the execution approval bypass has higher concrete impact: it removes the agent's primary safety control, not just a configuration preference.

If you patched for the April 21 advisories and are already on 2026.3.28 or later, CVE-2026-41349 is covered. If you haven't updated yet — this is the reason to do it today.

How to Patch: 2 Minutes

# Update OpenClaw
npm update -g openclaw

# Verify you're on 2026.3.28 or later
openclaw --version

# Restart gateway
openclaw gateway restart

# Confirm no config warnings
openclaw doctor

Version check: The fix is in 2026.3.28 and all releases after it. The current release as of April 23 is 2026.4.21 — if you're on that, you're covered. If openclaw --version returns anything before 2026.3.28, stop what you're doing and update now.

Detection: How to Know If You Were Affected

No exploitation is currently known, but if you want to audit whether this was exploited against your instance:

Look for config.patch calls in your gateway logs — search for config.patch in ~/.openclaw/agents/main/sessions/ transcript files. Any invocation that didn't come from you is suspicious.
Check for agent executions without approval records — if your logs show tool calls (email sends, file operations, shell commands) without corresponding approval/confirmation events, the gate may have been bypassed.
Review recent agent activity in your channels — any actions your agent took that you didn't explicitly approve warrant investigation.

The Broader Security Week Context

This CVE drops at the end of a week that has been unusually heavy on OpenClaw security coverage:

Apr 21 — Four GHSA advisories (GHSA-7jm2, GHSA-2xcp, GHSA-c4qg, QQBot SSRF)
Apr 22 — "OpenClaw Trojan" malware coverage (name-squatting, 28k systems)
Apr 23 — SecurityScorecard research (40,214 exposed instances, 63% RCE-vulnerable)
Apr 23 — CVE-2026-41349 published (consent bypass, CVSS 8.8)

The pattern is clear: OpenClaw is now prominent enough to attract serious security research attention. The vulnerabilities being found are real, the CVE scores are meaningful, and the exploitation infrastructure (public exploit code for some issues, SecurityScorecard scan data) is being built. Self-hosters who aren't actively maintaining their installations are falling behind.

For operators who found this post late: If you haven't updated OpenClaw in the past month, there are now multiple patched vulnerabilities you're running without. Do the update now, run openclaw doctor --fix, confirm your gateway binding is set to 127.0.0.1, and review your execution approval config to make sure it's enabled.

Not sure if your setup is patched and hardened?

We audit your OpenClaw version, config, gateway exposure, and execution approval settings — and give you a clear report on what needs fixing. One-time, $49, delivered within 24 hours.

Book a Security Audit — $49

Summary

CVE-2026-41349 (CVSS 8.8, HIGH) allows LLM agents to silently disable OpenClaw's execution approval gate via the config.patch parameter. It affects all versions before 2026.3.28. No exploitation is currently known, but the attack profile is accessible and no user interaction is required.

Patch: npm update -g openclaw → openclaw gateway restart. If you're already on 2026.4.21 from the April 21 advisory patches, you're covered. If not, do it now.