Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.
AnalysisAI
OpenClaw's channel setup catalog lookup mechanism allowed workspace plugins to shadow bundled channel plugins and bypass trust gates during setup-time plugin loading. Low-privileged authenticated attackers on the network can craft malicious workspace plugins that execute without the intended trust verification, enabling arbitrary code execution in the OpenClaw runtime. The vulnerability was responsibly disclosed by security researchers from Keen Security Lab and patched in version 2026.4.10. No public exploit identified at time of analysis, though the fix commit reveals the exact vulnerable lookup logic attackers would target.
Technical ContextAI
OpenClaw is an npm-based platform that loads plugins during channel setup operations. The vulnerability stems from CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The channel setup catalog lookup used listChannelPluginCatalogEntries() which searched workspace-scoped plugin directories before bundled plugins, without enforcing the excludeWorkspace flag or checking against the trusted catalog (plugins.allow config). This created a search-order hijacking scenario where an attacker-controlled workspace plugin could resolve before the legitimate bundled channel plugin, bypassing the trust gate that normally restricts workspace plugin loading. The fix introduced listSetupDiscoveryChannelPluginCatalogEntries() and listTrustedChannelPluginCatalogEntries() functions that explicitly route setup catalog lookups through trusted paths with excludeWorkspace: true, and added getTrustedChannelPluginCatalogEntry() that falls back to bundled plugins when workspace shadows are untrusted. The affected component is the channel setup discovery module (src/commands/channel-setup/discovery.ts) and plugin installation logic (src/commands/channel-setup/plugin-install.ts).
RemediationAI
Upgrade openclaw npm package to version 2026.4.10 or later, with version 2026.4.14 being the current stable release containing the fix. The patch commit 1fede43b948df40ca8674511d4bd08d39f6c5837 is available at https://github.com/openclaw/openclaw/commit/1fede43b948df40ca8674511d4bd08d39f6c5837. The fix routes setup catalog lookups through trusted paths using listSetupDiscoveryChannelPluginCatalogEntries() and listTrustedChannelPluginCatalogEntries() with excludeWorkspace flag enforced, and modifies discovery.ts and plugin-install.ts to prevent workspace shadows from bypassing trust gates. Full vendor advisory with upgrade guidance is at https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2. If immediate upgrade is not feasible, implement strict workspace directory access controls to prevent untrusted users from writing plugin files, and explicitly configure the plugins.allow allowlist to only include verified bundled or explicitly trusted workspace plugins. Audit existing workspace plugin directories for unexpected or unrecognized plugin shadows. Note that restricting workspace write access may impact legitimate development workflows where users need to test custom plugins.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27293
GHSA-82qx-6vj7-p8m2