CVE-2026-41300 Overview
OpenClaw before version 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. This authorization bypass flaw allows attackers to route gateway credentials to malicious endpoints by having their discovered URL survive the trust decline process into manual prompts requiring operator acceptance.
Critical Impact
Attackers can intercept gateway credentials by exploiting the endpoint preservation behavior during the trust decline workflow, potentially compromising remote onboarding security and allowing unauthorized access to sensitive gateway resources.
Affected Products
- OpenClaw versions prior to 2026.3.31
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-41300 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-41300
Vulnerability Analysis
This vulnerability relates to CWE-372 (Incomplete Internal State Distinction), where the application fails to properly distinguish between internal states during the trust decline process. When a remote onboarding flow occurs, OpenClaw allows endpoint discovery as part of the connection establishment. However, when an operator declines trust for a discovered endpoint, the application fails to properly purge the attacker-controlled endpoint URL from its internal state.
The flaw manifests in the transition between automated endpoint discovery and manual operator prompts. Even after trust is explicitly declined, the malicious endpoint persists in the system's state, eventually surfacing in subsequent manual prompts that require operator acceptance. This creates a window where operators may unknowingly accept connections to attacker-controlled infrastructure.
Root Cause
The root cause stems from incomplete state management during the trust decline workflow. When an operator declines trust for a discovered endpoint, the system should completely remove all references to that endpoint from its internal state. Instead, the attacker-discovered endpoint URL persists in the system's memory or configuration, allowing it to reappear in subsequent onboarding prompts. This incomplete cleanup of internal state allows attackers to establish persistence in the endpoint discovery cache.
Attack Vector
The attack leverages the network-accessible remote onboarding functionality. An attacker can execute this attack by:
- Setting up a malicious endpoint that mimics legitimate OpenClaw gateway infrastructure
- Triggering the remote onboarding discovery process to find the attacker-controlled endpoint
- Waiting for the initial trust decline from the operator
- Exploiting the persistence of the malicious endpoint URL in subsequent manual prompts
- Social engineering or timing attacks to get the operator to accept the malicious endpoint
The attack requires user interaction, as an operator must ultimately accept the connection. However, the persistence of attacker-controlled URLs in the system significantly increases the likelihood of successful credential theft.
Detection Methods for CVE-2026-41300
Indicators of Compromise
- Unexpected or unfamiliar endpoint URLs appearing in remote onboarding prompts after previous trust decline actions
- Gateway credentials being transmitted to external or unknown IP addresses
- Repeated endpoint discovery attempts from untrusted network sources
- Anomalous patterns in the trust decline workflow logs
Detection Strategies
- Monitor remote onboarding logs for endpoint URLs that reappear after being declined
- Implement alerting for gateway credential transmission to non-whitelisted endpoints
- Review and audit all manually accepted endpoints during remote onboarding workflows
- Deploy network monitoring to detect credential exfiltration to unknown destinations
Monitoring Recommendations
- Enable verbose logging for the remote onboarding subsystem to capture endpoint discovery and trust decision events
- Implement correlation rules to detect endpoints that persist across trust decline actions
- Configure alerts for any gateway credential operations involving previously declined endpoints
- Regularly audit the endpoint discovery cache and internal state for unauthorized entries
How to Mitigate CVE-2026-41300
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.31 or later immediately
- Review recent remote onboarding logs for any suspicious endpoint acceptances
- Rotate gateway credentials that may have been exposed through compromised onboarding flows
- Implement additional manual verification steps for endpoint acceptance during remote onboarding
Patch Information
The vulnerability has been addressed in the GitHub commit 2a75416634837c21ed05b8c3ed906eb7a7807060. Additional details are available in the GitHub Security Advisory GHSA-9f4w-67g7-mqwv and the VulnCheck Advisory.
Organizations should update to OpenClaw 2026.3.31 or later to receive the fix that properly purges declined endpoints from the internal state.
Workarounds
- Implement strict endpoint whitelisting to only allow connections to pre-approved gateway endpoints
- Disable remote onboarding functionality if not required until the patch can be applied
- Add additional operator verification steps requiring confirmation of endpoint ownership before acceptance
- Configure network-level controls to block outbound connections to unknown or suspicious endpoints
# Example: Restrict remote onboarding to whitelisted endpoints only
# Add to OpenClaw configuration file
[remote_onboarding]
enable_strict_whitelist = true
allowed_endpoints = "gateway1.trusted.example.com,gateway2.trusted.example.com"
auto_discovery = false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
