CVE-2026-41398

MEDIUM NVD

CVSS Score 4.6

Severity MEDIUM

Published Apr 28, 2026

Vendor unknown

Description

OpenClaw before 2026.4.2 contains an improper access control vulnerability in the iOS A2UI bridge that treats generic local-network pages as trusted origins. Attackers can inject unauthorized agent.request runs by loading attacker-controlled pages from local-network or tailnet hosts, polluting session state and consuming budget.

References

https://github.com/openclaw/openclaw/commit/49d08382a90f71dabe2877b3f6729ad85f808d57
https://github.com/openclaw/openclaw/security/advisories/GHSA-4p4f-fc8q-84m3
https://www.vulncheck.com/advisories/openclaw-unauthorized-agent-request-dispatch-via-untrusted-local-network-pages-in-ios-a2ui-bridge