HIGHCVE-2026-43571Published 2026-05-05Modified 2026-05-05CNA VulnCheck

CVE-2026-43571: OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup

OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.

CVSS v4.0: 7.7
Severity: HIGH
Fixed in: 2026.4.10
Affected Products: 1

Fix available

2026.4.10

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.4.10 (from 0)
Fixed in 2026.4.10

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-82qx-6vj7-p8m2)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup

Metrics

Fix available