5 matches found
CVE-2026-41295
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process code...
EUVD-2026-23999
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process code...
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows
Summary Channel setup catalog lookups could include untrusted workspace plugin shadows. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Channel setup could resolve a workspace plugin shadow before a bundled channel plugin, causing setup-ti...
GHSA-82QX-6VJ7-P8M2 OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows
Summary Channel setup catalog lookups could include untrusted workspace plugin shadows. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Channel setup could resolve a workspace plugin shadow before a bundled channel plugin, causing setup-ti...
PT-2026-37026
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.10 Description A plugin trust bypass exists where channel setup catalog lookups may resolve workspace plugin shadows before bundled channel plugins. This allows attackers to craft malicious workspace plugins...