Description
OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings.
Published: 2026-04-28
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Untrusted Plugin Installation
Action: Patch
AI Analysis

Impact

OpenClaw versions earlier than 2026.3.31 contain a fail‑open flaw in the plugin installation workflow. When a security scan flags a plugin, the system allows the installation to proceed if the operator chooses to override the warning. This bypass lets an attacker install malicious or untrusted plugins that could execute arbitrary code or compromise the application. The vulnerability is categorized as CWE‑636, reflecting an improper restriction on operations that depend on status indicators.

Affected Systems

The affected product is OpenClaw, specifically any instance running a version earlier than 2026.3.31. The vulnerability is triggered during the plugin installation process in the OpenClaw application, accessible to users with permission to add plugins. No specific sub‑products or modules are listed beyond the core OpenClaw platform; the issue is present in the base product as indicated by its CPE string.

Risk and Exploitability

The CVSS base score of 5.1 classifies this as a moderate‑severity issue. EPSS data are unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to initiate a plugin installation or to persuade an operator to bypass a security warning, making it more likely to be used in a targeted attack or by an insider with local access. Because the flaw fails a security check rather than providing an arbitrary code path, the risk is limited to the execution of the installed plugin, which could lead to privilege escalation or data compromise within the OpenClaw environment.

Generated by OpenCVE AI on April 28, 2026 at 23:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available OpenClaw update that includes version 2026.3.31 or later to address the fail‑open bug.
  • Limit plugin installation rights to trusted administrators and enforce a mandatory review for any plugin that fails a security scan.
  • Configure the application or organization policy to require operators to resolve scan failures before allowing installation, effectively blocking the override path.
  • If an update cannot be applied promptly, disable automatic plugin installation and manually vet each plugin to mitigate the risk.

Generated by OpenCVE AI on April 28, 2026 at 23:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings.
Title OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-636
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-28T18:09:40.607Z

Reserved: 2026-04-20T14:10:32.653Z

Link: CVE-2026-41377

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-28T19:37:40.550

Modified: 2026-04-28T20:10:23.367

Link: CVE-2026-41377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses