Improper Access Control in OpenClaw iOS A2UI Bridge
CVE-2026-41398

2.1LOW

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-41398?

OpenClaw versions before 2026.4.2 suffer from an improper access control vulnerability in the iOS A2UI bridge. By treating local-network pages as trusted origins, this flaw allows attackers to inject unauthorized agent.request executions. They can exploit this vulnerability by loading malicious pages from local-network or tailnet hosts, which can lead to session state pollution and compromise user budgets.

Affected Version(s)

OpenClaw 0 < 2026.4.2

OpenClaw 2026.4.2

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/49d08382a90f7...

patch

https://www.vulncheck.com/advisories/openclaw-unauthorize...

third-party-advisory

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Nathan (@nexrin)

KeenSecurityLab

qclawer

CVE-2026-41398 Data

JSON