External Control of System or Configuration Setting in OpenClaw - CVE-2026-35641
Published: May 1, 2026
Vulnerability identifier: #VU128741
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-35641
CWE-ID: CWE-15
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of externally managed configuration in the local plugin and hook package installation workflow when installing a local plugin or hook directory or archive containing a crafted .npmrc file and a git dependency. A remote attacker can supply a crafted local package that overrides npm's git executable path to execute arbitrary code.
User interaction is required to install the malicious local package, and exploitation occurs during the installation phase before the plugin or hook is loaded.
How to mitigate CVE-2026-35641
Install security update from vendor's website.