Description

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.

INFO

Published Date :

2026-04-23T17:52:32.937Z

Last Modified :

2026-04-23T18:25:54.078Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41908 vulnerability.

Vendors Products
Openclaw
  • Openclaw
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41908.

URL Resource
https://github.com/openclaw/openclaw/commit/99ef3a63c58440d53f8e45ad861b846032fcb036 cve-icon cve-icon
https://github.com/openclaw/openclaw/security/advisories/GHSA-v8qf-fr4g-28p2 cve-icon cve-icon
https://www.vulncheck.com/advisories/openclaw-scope-enforcement-bypass-in-assistant-media-route cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact