What is CVE-2026-41301 in OpenClaw?

A signature verification bypass in the Nostr DM ingress path letting unauthenticated attackers create forged pairing state.

Which OpenClaw versions are vulnerable to CVE-2026-41301?

Versions 2026.3.22 through 2026.3.30. Fixed in version 2026.3.31.

How to patch CVE-2026-41301?

Upgrade to OpenClaw 2026.3.31 or later which reorders security controls to verify signatures first.

Is CVE-2026-41301 exploitable remotely?

Yes, it is network-based and requires no authentication.

What is the impact of CVE-2026-41301?

Attackers can consume shared pairing capacity and trigger relay work by forging Nostr DMs.

← Back to dashboard

clawsmith.com/signal/cve-2026-41301-nostr-dm-auth-bypass-pairing-dos

⚠ IssueWide OpenLive

CVE-2026-41301: Nostr DM auth bypass allows forged pairing state creation in OpenClaw

Signature verification bypass in OpenClaw versions 2026.3.22-2026.3.30 Nostr DM ingress path. authorizeSender callback invoked before cryptographic signature validation, letting unauthenticated attackers forge direct messages, create pending pairing entries, and consume shared pairing capacity. Fix in 2026.3.31 reorders security control flow.

Product Idea from this Signal

A background service that enforces change control policies on OpenClaw skill edits, blocking unapproved modifications and logging every mutation with cryptographic audit trails

23 ▲

OpenClaw v2026.5.30 added Skill Workshop governance primitives (propose, review, approve, reject, quarantine, rollback), but CVE-2026-41301 showed that security control ordering bugs still slip through. Teams running OpenClaw in production need a policy enforcement layer that sits between skill authors and the live instance, blocking unapproved changes, validating skill manifests against a security policy, and maintaining a tamper-proof audit log. The 138 CVEs in 5 months and 341+ malicious ClawHub skills make this mandatory for any serious deployment.

BACKGROUND-SERVICESECURITYGOVERNANCEDEVTOOLOPENCLAW

CompetitiveView Opportunity →