OpenClaw RCE: Paired Nodes Bypass Auth, Allow Arbitrary Commands

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-862
OpenClaw RCE: Paired Nodes Bypass Auth, Allow Arbitrary Commands

The National Vulnerability Database has disclosed CVE-2026-41352, a high-severity remote code execution (RCE) vulnerability impacting OpenClaw before version 2026.3.31. This flaw, rated 8.8 CVSS, allows attackers with existing device pairing credentials to execute arbitrary node commands on the host system. The core issue is a bypass of the node scope gate authentication mechanism.

This isn’t a zero-day requiring initial access; it’s a critical privilege escalation. An attacker who has already compromised or legitimately obtained device pairing credentials can leverage this vulnerability to move laterally and gain full control without further node pairing validation. The National Vulnerability Database attributes this to CWE-862, a missing authorization vulnerability.

For defenders, this means the attack surface isn’t just external; it’s also internal, targeting trusted relationships. Any system relying on OpenClaw for device-paired node operations needs immediate attention. The attacker’s calculus is straightforward: get a foothold, then exploit this to own the system. It’s a clear path from limited access to full compromise.

What This Means For You

  • If your organization utilizes OpenClaw, immediately identify all instances running versions prior to 2026.3.31. Patch these systems to 2026.3.31 or later without delay. Review logs for any unauthorized node command execution, especially from device-paired nodes, as this could indicate an active exploit.
🛡️ Am I exposed to this? Get detection rules for CVE-2026-41352 — Splunk, Sentinel, Elastic, QRadar & more

Related ATT&CK Techniques

T1204.002 Malicious File Execution T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

OpenClaw RCE - Arbitrary Command Execution via Paired Node Bypass - CVE-2026-41352

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41352 RCE OpenClaw
CVE-2026-41352 RCE OpenClaw before 2026.3.31
CVE-2026-41352 Auth Bypass device-paired node can bypass the node scope gate authentication mechanism

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 24, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-6732 — Libxml2 Denial of Service

CVE-2026-6732 — A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-843
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

OpenShell Mirror Mode Allows Arbitrary Code Execution

CVE-2026-41355 — OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror...

vulnerabilityCVEhigh-severitycode-executioncwe-829
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 4 IOCs /⚙ 3 Sigma

OpenClaw: High-Severity Access Control Bypass Looms

CVE-2026-41353 — OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile...

vulnerabilityCVEhigh-severitycwe-472
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma