CVE-2026-41349 (CVSS 8.8 High), published April 23, allows remote attackers to exploit OpenClaw's config.patch parameter to silently disable execution approval for LLM agents — no authentication required. This is an agentic-specific vulnerability class: the agent itself can be manipulated to remove the consent gate that protects users from unauthorized actions. Fixed in OpenClaw 2026.3.28.