CVE-2026-41398
medium
CVSS v3
4.6
CVSS v2
—
VIR risk
4.6
Description
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
Predictions
Exploit likelihood
46%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: disclosure@vulncheck.com — https://github.com/openclaw/openclaw/security/advisories/GHSA-4p4f-fc8q-84m3
Vendor advisory: disclosure@vulncheck.com — https://github.com/openclaw/openclaw/commit/49d08382a90f71dabe2877b3f6729ad85f808d57
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| openclaw | openclaw | {"endExcluding":"2026.4.2"} | 2026.4.2 |
References
- https://github.com/openclaw/openclaw/commit/49d08382a90f71dabe2877b3f6729ad85f808d57
- https://github.com/openclaw/openclaw/security/advisories/GHSA-4p4f-fc8q-84m3
- https://www.vulncheck.com/advisories/openclaw-unauthorized-agent-request-dispatch-via-untrusted-local-network-pages-in-ios-a2ui-bridge
- https://github.com/openclaw/openclaw
- https://github.com/advisories/GHSA-4p4f-fc8q-84m3
CWEs
CWE-346
Verify integrity in audit chain (admin only). AS-IS.