CVE-2026-41388

EUVD-2026-26097
OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate revoked Tlon configuration from file state, bypassing intended revocation controls.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Affected Products (NVD)
VendorProductVersion
openclawopenclaw
𝑥
< 2026.3.31
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/openclaw/openclaw/commit/a4d72a83f01fedd35964c352e3473c7712a3511b
https://github.com/openclaw/openclaw/security/advisories/GHSA-3pm9-5j7m-59vc
https://www.vulncheck.com/advisories/openclaw-configuration-rehydration-via-empty-array-revocation-handling