CVE-2026-41377

OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings.

CVSS v3 4.6 MEDIUM

4.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/0d7f1e2c84eca65df7dee890d9c30e2a841c030a	Patch
https://github.com/openclaw/openclaw/commit/44b993613601280d46a5b88190e46669fc13d669	Patch
https://github.com/openclaw/openclaw/commit/7a953a52271b9188a5fa830739a4366614ff9916	Patch
https://github.com/openclaw/openclaw/commit/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-fail-open-security-scan-bypass-in-plugin-installation	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

01 May 2026, 15:50

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/0d7f1e2c84eca65df7dee890d9c30e2a841c030a -~~	() https://github.com/openclaw/openclaw/commit/0d7f1e2c84eca65df7dee890d9c30e2a841c030a - Patch
References	~~() https://github.com/openclaw/openclaw/commit/44b993613601280d46a5b88190e46669fc13d669 -~~	() https://github.com/openclaw/openclaw/commit/44b993613601280d46a5b88190e46669fc13d669 - Patch
References	~~() https://github.com/openclaw/openclaw/commit/7a953a52271b9188a5fa830739a4366614ff9916 -~~	() https://github.com/openclaw/openclaw/commit/7a953a52271b9188a5fa830739a4366614ff9916 - Patch
References	~~() https://github.com/openclaw/openclaw/commit/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68 -~~	() https://github.com/openclaw/openclaw/commit/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4 - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-fail-open-security-scan-bypass-in-plugin-installation -~~	() https://www.vulncheck.com/advisories/openclaw-fail-open-security-scan-bypass-in-plugin-installation - Third Party Advisory
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
First Time		Openclaw openclaw Openclaw

28 Apr 2026, 19:37

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-28 19:37

Updated : 2026-05-01 15:50

NVD link : CVE-2026-41377

Mitre link : CVE-2026-41377

CVE.ORG link : CVE-2026-41377

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-636

Not Failing Securely ('Failing Open')

4.6 /10