CVE-2026-41910: OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes
(updated )
/allowlist omits owner-only enforcement for cross-channel allowlist writes.
An authorized non-owner sender could attempt allowlist writes against a different channel.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.
References
- github.com/advisories/GHSA-vc32-h5mq-453v
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5
- github.com/openclaw/openclaw/security/advisories/GHSA-vc32-h5mq-453v
- nvd.nist.gov/vuln/detail/CVE-2026-41910
- www.vulncheck.com/advisories/openclaw-missing-owner-only-enforcement-in-allowlist-cross-channel-writes
Code Behaviors & Features
Detect and mitigate CVE-2026-41910 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →