OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can leverage git dependencies to trigger execution of arbitrary programs specified in the attacker-controlled .npmrc configuration file.
References
| Link | Resource |
|---|---|
| https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw | Exploit Mitigation Vendor Advisory |
| https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation | Third Party Advisory |
| https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw | Exploit Mitigation Vendor Advisory |
Configurations
History
14 Apr 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw - Exploit, Mitigation, Vendor Advisory |
13 Apr 2026, 20:14
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw - Exploit, Mitigation, Vendor Advisory | |
| References | () https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation - Third Party Advisory | |
| CPE | cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* | |
| First Time |
Openclaw openclaw
Openclaw |
10 Apr 2026, 17:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-10 17:17
Updated : 2026-04-14 15:16
NVD link : CVE-2026-35641
Mitre link : CVE-2026-35641
CVE.ORG link : CVE-2026-35641
JSON object : View
Products Affected
openclaw
- openclaw
CWE
CWE-349
Acceptance of Extraneous Untrusted Data With Trusted Data