Main Vulnerability Database Vulnerabilities #VU132701

Inclusion of Functionality from Untrusted Control Sphere in OpenClaw - #VU132701

Published: May 29, 2026

Vulnerability identifier: #VU132701

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-829

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to execute unscanned plugin code.

The vulnerability exists due to inclusion of functionality from an untrusted control sphere in marketplace runtime extension metadata when loading a package selected for installation through the affected feature. A remote user can provide metadata that redirects runtime loading to hidden package content to execute unscanned plugin code.

Only instances where the affected feature is enabled and reachable are vulnerable.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-v6r2-jh58-xx6w

Inclusion of Functionality from Untrusted Control Sphere in OpenClaw - #VU132701

Detailed vulnerability description

Remediation

Sources

Please verify you're human