What is CVE-2026-41914?

CVE-2026-41914 is a server-side request forgery (SSRF) vulnerability in OpenClaw's QQ Bot media download paths that bypasses SSRF protection in versions before 2026.4.8.

What is CVE-2026-42422?

CVE-2026-42422 is a role bypass vulnerability in OpenClaw's device.token.rotate function that allows minting tokens for unapproved roles in versions before 2026.4.8.

What is CVE-2026-42423?

CVE-2026-42423 is an approval-timeout fallback vulnerability that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts in OpenClaw versions before 2026.4.8.

How many CVEs has OpenClaw had in 2026?

OpenClaw has had 138+ CVEs since launch, with new batches being published regularly. These three new CVEs were published on April 29, 2026.

How to patch OpenClaw against these CVEs?

Update to OpenClaw v2026.4.8 or later to patch all three vulnerabilities. Check the GitHub security advisories for specific remediation steps.

← Back to dashboard

clawsmith.com/signal/cve-2026-41914-42422-42423-april-batch-ssrf-role-bypass

⚠ IssueUnknownCoreLive

Three New CVEs Hit OpenClaw April 29: SSRF, Role Bypass, Approval Timeout

Three new CVEs published April 29, 2026: CVE-2026-41914 (SSRF in QQ Bot media download bypasses protection), CVE-2026-42422 (role bypass in device.token.rotate allows minting unapproved role tokens), CVE-2026-42423 (approval-timeout fallback bypasses strictInlineEval on exec hosts). All affect versions before v2026.4.8.

Product Idea from this Signal

A security service that auto-patches OpenClaw CVEs within hours of disclosure before attackers exploit them

7.2k ▲

OpenClaw shipped 9 CVEs in 4 days (March 2026) including a CVSS 9.9 privilege escalation affecting 135K+ exposed instances. Most operators have no way to know which CVEs affect their version, no automated patching, and no coordination between the flood of advisories (156+ total) and their actual attack surface. This tool continuously monitors CVE feeds, maps each advisory to your installed version and enabled features, and applies safe mitigations automatically while queuing risky patches for human approval.

SECURITYCLIDEVTOOLOPEN-SOURCESYSADMIN

CompetitiveView Opportunity →