Authorization Bypass Vulnerability in OpenClaw Product by OpenClaw
CVE-2026-44991

2.3LOW

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-44991?

A vulnerability in OpenClaw prior to version 2026.4.21 allows non-owner users to bypass owner-enforced slash command authorizations. By configuring wildcard inbound senders without specific owner allow settings, attackers can exploit commands like /send, /config, or /debug on susceptible channels. This flaw permits unauthorized command execution, posing significant security risks for affected users.

Affected Version(s)

OpenClaw 0 < 2026.4.21

OpenClaw 2026.4.21

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/2aa93d44a1b2c...

patch

https://github.com/openclaw/openclaw/commit/995febb7b1e81...

patch

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 8, 2026

Credit

zsx (@zsxsoft)

KeenSecurityLab

CVE-2026-44991 Data

JSON