EUVD-2026-17373
GHSA-j5qh-5234-4rqp
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Tags
Description
OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute when users run OpenClaw from the directory.
Analysis
Remote code execution in OpenClaw (versions prior to 2026.3.12) enables attackers to execute arbitrary malicious code when users open compromised repositories. The vulnerability stems from automatic plugin loading from .OpenClaw/extensions/ directories without trust verification, allowing attackers to embed malicious workspace plugins in cloned Git repositories. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all OpenClaw installations and their versions via inventory/endpoint management tools; block cloning from untrusted repositories where possible. Within 7 days: Upgrade to OpenClaw 2026.3.12 or later on all developer systems and CI/CD infrastructure; conduct mandatory security briefing on repository trust practices. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today