Which versions of Node.js are affected by CVE-2026-35641?

CVE-2026-35641 affects OpenClaw versions before 2026.3.24 and allows local attackers to execute arbitrary code during npm package installation through malicious .npmrc file configuration.. A patch is available.

Node.js CVE-2026-35641

Q: What is the CVSS score of CVE-2026-35641?

CVE-2026-35641 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-21436 HIGH

Acceptance of Extraneous Untrusted Data With Trusted Data (CWE-349)

2026-04-10 VulnCheck

GHSA-m3mh-3mpg-37hw

RCE Node.js

8.4

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 10, 2026 - 16:30 euvd

EUVD-2026-21436

Analysis Generated

Apr 10, 2026 - 16:30 vuln.today

CVE Published

Apr 10, 2026 - 16:03 nvd

HIGH 8.4

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

3 npm packages depend on openclaw (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.24.

DescriptionNVD

OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can leverage git dependencies to trigger execution of arbitrary programs specified in the attacker-controlled .npmrc configuration file.

AnalysisAI

Arbitrary code execution in OpenClaw versions prior to 2026.3.24 enables local attackers to execute malicious code during npm package installation by crafting a malicious .npmrc file that overrides the git executable. When npm install runs in the staged package directory with git dependencies, the attacker-controlled .npmrc configuration triggers execution of arbitrary programs specified by the attacker. …

RemediationAI

Within 24 hours: Inventory all systems running OpenClaw versions prior to 2026.3.24 and restrict npm install operations to trusted environments only. Within 7 days: Implement .npmrc file integrity verification and restrict git executable paths to validated system directories; monitor npm operations for suspicious .npmrc modifications. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-35641 vulnerability details – vuln.today

Back

Node.js CVE-2026-35641

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Node.js CVE-2026-35641

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code