CVE-2026-41908 Overview
CVE-2026-41908 is an authorization bypass vulnerability in OpenClaw versions before 2026.4.20 that affects the assistant-media route. The vulnerability allows trusted-proxy callers without the required operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.
Critical Impact
Unauthorized access to protected assistant-media files and metadata through scope enforcement bypass in trusted-proxy authentication flow.
Affected Products
- OpenClaw versions before 2026.4.20
Discovery Timeline
- April 23, 2026 - CVE CVE-2026-41908 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-41908
Vulnerability Analysis
This vulnerability falls under CWE-863 (Incorrect Authorization), where the application fails to properly enforce scope requirements for the assistant.media.get method. The assistant-media route in OpenClaw's gateway component did not validate that trusted-proxy callers possessed the necessary operator.read scope before serving protected media files.
The flaw exists in the control-ui gateway module, where media requests were processed without adequate authorization checks. While the route was protected behind identity-bearing HTTP authentication, the specific scope validation for read operations was missing, allowing authenticated users with insufficient privileges to access resources they should not have been able to reach.
Root Cause
The root cause is a missing scope authorization check in the assistant-media route handler. The assistant.media.get method was not included in the list of methods requiring the READ_SCOPE permission. As a result, trusted-proxy callers could access the /__openclaw__/assistant-media endpoint without having the operator.read scope, bypassing the intended access control mechanism.
Attack Vector
The attack requires network access and authenticated access as a trusted-proxy caller. An attacker with valid authentication but lacking the operator.read scope can:
- Send HTTP requests to the /__openclaw__/assistant-media endpoint
- Bypass scope validation that should prevent access
- Retrieve protected assistant-media files and associated metadata
The vulnerability requires some level of prior access to the system (authenticated trusted-proxy status), which limits the attack surface to scenarios where an attacker has already compromised a low-privilege account or service.
The security patch adds the missing scope enforcement by importing resolveTrustedHttpOperatorScopes and authorizeOperatorScopesForMethod functions to validate permissions:
resolveAssistantAvatarUrl,
} from "./control-ui-shared.js";
import { sendGatewayAuthFailure } from "./http-common.js";
-import { getBearerToken, resolveHttpBrowserOriginPolicy } from "./http-utils.js";
+import {
+ getBearerToken,
+ resolveHttpBrowserOriginPolicy,
+ resolveTrustedHttpOperatorScopes,
+} from "./http-utils.js";
+import { authorizeOperatorScopesForMethod } from "./method-scopes.js";
const ROOT_PREFIX = "/";
const CONTROL_UI_ASSISTANT_MEDIA_PREFIX = "/__openclaw__/assistant-media";
Source: GitHub Commit Update
Additionally, the assistant.media.get method was added to the list of methods requiring READ_SCOPE:
"node.rename",
],
[READ_SCOPE]: [
+ "assistant.media.get",
"health",
"doctor.memory.status",
"doctor.memory.dreamDiary",
Source: GitHub Commit Update
Detection Methods for CVE-2026-41908
Indicators of Compromise
- Unusual access patterns to the /__openclaw__/assistant-media endpoint from accounts lacking operator.read scope
- Authorization log entries showing media file access by users or services without appropriate permissions
- Unexpected retrieval of assistant-media files or metadata by trusted-proxy callers
Detection Strategies
- Review authentication and authorization logs for access to the /__openclaw__/assistant-media route
- Audit trusted-proxy caller activities for scope mismatches where media access occurred without operator.read permission
- Implement monitoring rules to detect requests to assistant-media endpoints that bypass scope validation
Monitoring Recommendations
- Enable detailed logging for all assistant-media route requests including scope information
- Set up alerts for access attempts to protected media endpoints by accounts with insufficient scopes
- Monitor for anomalous patterns in media file access that may indicate exploitation attempts
How to Mitigate CVE-2026-41908
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.20 or later immediately
- Review access logs to determine if unauthorized access to assistant-media files has occurred
- Audit all trusted-proxy accounts to ensure proper scope assignments
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.4.20. The fix adds proper scope enforcement by requiring the READ_SCOPE permission for the assistant.media.get method. The patch is available through the GitHub Commit (commit hash: 99ef3a63c58440d53f8e45ad861b846032fcb036).
For additional details, refer to the GitHub Security Advisory or the VulnCheck Advisory.
Workarounds
- Restrict network access to the /__openclaw__/assistant-media endpoint using firewall rules or reverse proxy configurations
- Implement additional authorization layers at the network or application gateway level
- Review and limit trusted-proxy caller access to only necessary services until the patch can be applied
# Example: Restrict access to assistant-media endpoint via nginx
location /__openclaw__/assistant-media {
# Allow only internal networks until patch is applied
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
