Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.31.
DescriptionCVE.org
OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings.
AnalysisAI
OpenClaw before version 2026.3.31 fails to block plugin installation when security scans detect threats, allowing authenticated users to install malicious plugins by ignoring visible scan warnings. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but enables installation of untrusted code with moderate integrity impact when exploited.
Technical ContextAI
OpenClaw's plugin installation flow implements security scanning as an advisory check rather than a mandatory gate. The vulnerability is classified as CWE-636 (Weak Access Control in Plugin Installation), which describes systems that fail to properly enforce security controls during extension or plugin loading. When the security scan process detects suspicious indicators in a plugin package, the system displays a warning but permits the operator to proceed unconditionally. This fail-open design treats scan failures as informational rather than blocking, allowing bypassing of intended security validation. The affected CPE range cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:* indicates all versions before 2026.3.31 are vulnerable.
RemediationAI
Upgrade OpenClaw to version 2026.3.31 or later, which implements proper enforcement of security scan results as a mandatory installation gate. Upstream fixes are available via multiple commits referenced in the GitHub advisory (commits 7a953a5, 44b9936, 0d7f1e2, bf96c67) that enforce scan-blocking logic. Until patching is complete, operators should implement administrative controls: disable plugin installation capability for non-administrative accounts via RBAC, require multi-person approval for plugin installations (separate approval from the install action), and conduct manual security review of any plugin before installation proceeds. Document and audit all plugin installation events to detect patterns of warnings being ignored. Configure OpenClaw's scan settings to the strictest sensitivity level to maximize detection of suspicious indicators. These controls mitigate but do not eliminate risk, as a determined operator can still override warnings.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-636 – Not Failing Securely ('Failing Open')
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26086