CVE-2026-41377
OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation
CVSS Score
4.6
EPSS Score
0.0%
EPSS Percentile
0th
OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings.
| CWE | CWE-636 |
| Vendor | openclaw |
| Product | openclaw |
| Published | Apr 28, 2026 |
Stay Ahead of the Next One
Get instant alerts for openclaw openclaw
Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
OpenClaw / OpenClaw
0 < 2026.3.31
References
github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-cwq8-6f96-g3q4 github.com: https://github.com/openclaw/openclaw/commit/7a953a52271b9188a5fa830739a4366614ff9916 github.com: https://github.com/openclaw/openclaw/commit/44b993613601280d46a5b88190e46669fc13d669 github.com: https://github.com/openclaw/openclaw/commit/0d7f1e2c84eca65df7dee890d9c30e2a841c030a github.com: https://github.com/openclaw/openclaw/commit/bf96c67fd1954740aeabfadc7cfe3098bcfc6b68 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-fail-open-security-scan-bypass-in-plugin-installation
Credits
๐ davidluzsilva