{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openclaw/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41395"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["medium"],"_cs_tags":["webhook","replay-attack","plivo"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.28 is susceptible to a webhook replay vulnerability affecting Plivo V3 signature verification. The vulnerability arises from the application\u0026rsquo;s method of canonicalizing query parameter ordering for signature verification while simultaneously employing raw URLs for replay detection. This discrepancy allows attackers to manipulate the order of query parameters within a captured, valid, signed webhook, effectively bypassing the replay cache detection mechanism. This could lead to the unintended execution of duplicate voice-call processing. The vulnerability was reported on April 28, 2026, and poses a risk to systems relying on OpenClaw for processing Plivo webhooks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker captures a valid, signed webhook request from Plivo to OpenClaw.\u003c/li\u003e\n\u003cli\u003eAttacker analyzes the captured webhook request, noting the query parameters and their order.\u003c/li\u003e\n\u003cli\u003eAttacker reorders the query parameters in the captured webhook request, while maintaining the validity of the signature (due to OpenClaw\u0026rsquo;s canonicalization of query ordering for signature verification).\u003c/li\u003e\n\u003cli\u003eAttacker replays the modified webhook request to the OpenClaw server.\u003c/li\u003e\n\u003cli\u003eOpenClaw processes the replayed webhook request because the replay detection mechanism is bypassed due to the reordered query parameters resulting in a different raw URL.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application initiates a duplicate voice-call processing as a result of the replayed webhook.\u003c/li\u003e\n\u003cli\u003eThe victim experiences unintended or duplicate voice calls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unintended or duplicate voice calls, potentially causing disruption of services and financial implications due to unnecessary call charges. While the direct impact is limited to the processing of voice calls, the vulnerability highlights a weakness in webhook security that could be exploited further in other contexts. The severity is rated as HIGH with a CVSS v3.1 score of 7.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.28 or later to remediate the vulnerability (CVE-2026-41395).\u003c/li\u003e\n\u003cli\u003eImplement server-side logging for all incoming webhook requests, capturing the raw request URL and timestamp. Deploy the Sigma rule \u003ccode\u003eDetect Suspicious Webhook Replay\u003c/code\u003e to identify potential replay attacks based on duplicate URLs within a short timeframe.\u003c/li\u003e\n\u003cli\u003eConsider implementing additional server-side validation of webhook requests, such as verifying the timestamp to ensure it falls within an acceptable window.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-webhook-replay/","summary":"OpenClaw before 2026.3.28 is vulnerable to webhook replay attacks due to improper signature verification, allowing attackers to reorder query parameters and trigger duplicate voice-call processing.","title":"OpenClaw Webhook Replay Vulnerability (CVE-2026-41395)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-webhook-replay/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-42423"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["vulnerability","privilege-escalation","execution"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a software application, is vulnerable to an approval-timeout bypass (CVE-2026-42423) affecting versions prior to 2026.4.8. This vulnerability stems from a flaw in the strictInlineEval approval mechanism, where an approval-timeout fallback allows the execution of inline eval commands without explicit user approval. An attacker with low privileges can exploit this vulnerability on gateway and node exec hosts to circumvent the intended security boundary. This can lead to unauthorized command execution and potential system compromise. Defenders should upgrade to version 2026.4.8 or implement mitigations to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains low-privilege access to a gateway or node exec host running a vulnerable version of OpenClaw (prior to 2026.4.8).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious inline eval command intended to be executed on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute the malicious inline eval command, triggering the strictInlineEval approval mechanism.\u003c/li\u003e\n\u003cli\u003eThe system initiates the explicit approval process, awaiting user confirmation before executing the command.\u003c/li\u003e\n\u003cli\u003eThe attacker waits for the pre-configured approval-timeout to expire without providing any explicit approval.\u003c/li\u003e\n\u003cli\u003eThe approval-timeout fallback mechanism is triggered due to the lack of user approval within the defined timeframe.\u003c/li\u003e\n\u003cli\u003eThe system bypasses the explicit-approval requirement due to the timeout fallback, and the malicious inline eval command is executed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary command execution on the affected host, potentially escalating privileges and compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42423 allows an attacker to bypass intended security boundaries and execute arbitrary commands on OpenClaw gateway and node exec hosts. This can lead to privilege escalation, unauthorized data access, and potential system compromise. The severity is rated as high (CVSS 7.5) due to the potential for significant impact on confidentiality, integrity, and availability. The number of affected systems depends on the deployment scope of vulnerable OpenClaw versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42423.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw logs for indicators of unauthorized inline eval command execution, focusing on unexpected activity following approval timeouts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the blast radius of potential compromises, should an attacker successfully exploit CVE-2026-42423 and gain unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-approval-bypass/","summary":"OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that allows attackers to bypass strictInlineEval explicit-approval requirements on gateway and node exec hosts, leading to arbitrary command execution.","title":"OpenClaw StrictInlineEval Approval Bypass Vulnerability (CVE-2026-42423)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-approval-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-42431"}],"_cs_exploited":false,"_cs_products":["openclaw"],"_cs_severities":["high"],"_cs_tags":["security-bypass","browser-automation","profile-mutation"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eOpenClaw, a browser automation tool, is vulnerable to a security bypass (CVE-2026-42431) affecting versions prior to 2026.4.8. This vulnerability resides in the \u003ccode\u003enode.invoke(browser.proxy)\u003c/code\u003e function, which improperly allows mutation of persistent browser profiles. An attacker can leverage this flaw to bypass the \u003ccode\u003ebrowser.request\u003c/code\u003e persistent profile-mutation guard. Successful exploitation leads to unauthorized modification of browser configurations, potentially enabling malicious activities such as injecting malicious extensions, altering browser settings, or compromising user data. The vulnerability was publicly disclosed on April 28, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OpenClaw instance running a version prior to 2026.4.8.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious script that calls the \u003ccode\u003enode.invoke(browser.proxy)\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe script is designed to bypass the \u003ccode\u003ebrowser.request\u003c/code\u003e persistent profile-mutation guard.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enode.invoke(browser.proxy)\u003c/code\u003e function is exploited to mutate the persistent browser profile.\u003c/li\u003e\n\u003cli\u003eThe browser configuration is modified to include malicious settings, such as altered proxy settings or injected malicious extensions.\u003c/li\u003e\n\u003cli\u003eOpenClaw uses the modified browser profile for subsequent browser automation tasks.\u003c/li\u003e\n\u003cli\u003eThe malicious configurations allow the attacker to intercept or modify browser traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or injects malicious content into the browser session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42431 allows attackers to modify browser configurations, potentially leading to data theft, session hijacking, or the injection of malicious content. This can compromise user credentials, financial data, or other sensitive information handled by the browser. The vulnerability affects all users of OpenClaw versions prior to 2026.4.8. While the exact number of affected users is unknown, the impact is high due to the potential for widespread compromise of browser profiles and associated data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42431.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw scripts for suspicious calls to \u003ccode\u003enode.invoke(browser.proxy)\u003c/code\u003e using network connection monitoring.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit who can modify OpenClaw scripts and browser profiles.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect attempts to bypass the \u003ccode\u003ebrowser.request\u003c/code\u003e persistent profile-mutation guard.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-bypass/","summary":"OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows attackers to circumvent the browser.request persistent profile-mutation guard and modify browser configurations.","title":"OpenClaw Security Bypass Vulnerability Allows Persistent Browser Profile Mutation","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-42422"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["role-bypass","privilege-escalation","cve-2026-42422"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a yet-to-be-defined software, is vulnerable to a role bypass flaw affecting versions prior to 2026.4.8. This vulnerability, identified as CVE-2026-42422, resides within the \u003ccode\u003edevice.token.rotate\u003c/code\u003e function. Attackers can exploit this weakness to mint tokens associated with roles that have not undergone proper authorization. The core issue lies in the ability to bypass the intended device role-upgrade pairing mechanism, granting unauthorized access to roles and scopes. This circumvention allows malicious actors to either maintain existing roles illegitimately or create new ones without appropriate approval, potentially leading to significant privilege escalation and unauthorized data access within the affected system. Defenders need to ensure they are running at least version 2026.4.8.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenClaw instance running a version prior to 2026.4.8.\u003c/li\u003e\n\u003cli\u003eAttacker interacts with the \u003ccode\u003edevice.token.rotate\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to mint a token, specifying an unapproved role.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the system incorrectly validates the request.\u003c/li\u003e\n\u003cli\u003eA token is minted successfully with the unapproved role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the minted token to authenticate to the OpenClaw instance.\u003c/li\u003e\n\u003cli\u003eThe attacker now has access to resources and functionalities associated with the unapproved role.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions with elevated privileges, bypassing intended access controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42422 allows attackers to bypass intended authorization mechanisms within OpenClaw. This can lead to significant privilege escalation, potentially granting unauthorized access to sensitive data and critical system functionalities. The impact depends on the specific roles and scopes that can be minted, but it could range from data breaches to complete system compromise. While the exact number of affected systems remains unclear, any OpenClaw deployment prior to version 2026.4.8 is vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all OpenClaw installations to version 2026.4.8 or later to remediate CVE-2026-42422.\u003c/li\u003e\n\u003cli\u003eMonitor logs for unusual activity related to the \u003ccode\u003edevice.token.rotate\u003c/code\u003e function, particularly requests attempting to mint tokens with unexpected or unapproved roles.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OpenClaw Token Minting with Unapproved Roles\u0026rdquo; to detect exploitation attempts targeting CVE-2026-42422.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-role-bypass/","summary":"OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function, allowing attackers to mint tokens for unapproved roles and bypass intended approval processes.","title":"OpenClaw Role Bypass Vulnerability in device.token.rotate Function","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-role-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-41914"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-41914","openclaw"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eOpenClaw, a QQ Bot platform, is susceptible to a server-side request forgery (SSRF) vulnerability. This flaw exists in versions prior to 2026.4.8 within the media download paths of the QQ Bot functionality. Specifically, the vulnerability allows attackers to bypass existing SSRF protections. By exploiting unprotected media fetch endpoints, malicious actors can potentially gain unauthorized access to internal resources and circumvent established allowlist policies. This vulnerability poses a significant risk to the confidentiality and integrity of systems and data accessible from the OpenClaw server. Successful exploitation can lead to information disclosure, denial of service, or even remote code execution on internal systems, depending on the accessible resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an OpenClaw instance running a version prior to 2026.4.8.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting the QQ Bot media download functionality. This URL contains a payload designed to exploit the SSRF vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious URL into the QQ Bot\u0026rsquo;s media download path, bypassing expected SSRF protections.\u003c/li\u003e\n\u003cli\u003eOpenClaw processes the crafted URL without proper validation, initiating a request to an attacker-controlled internal resource.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw server makes a request to the specified internal resource, potentially exposing sensitive information or triggering unintended actions.\u003c/li\u003e\n\u003cli\u003eThe internal resource responds to the OpenClaw server, and the response is potentially relayed back to the attacker or used to further compromise the system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to internal resources or sensitive data due to the successful SSRF attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-41914) can lead to the disclosure of sensitive information from internal systems, potentially affecting all users and services dependent on the compromised OpenClaw instance. The severity is amplified by the potential to bypass existing SSRF protections, increasing the attack surface and difficulty of detection. Impact ranges from information disclosure to potential compromise of other internal services, depending on the specific internal resources accessible from the OpenClaw server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch the SSRF vulnerability (CVE-2026-41914).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious OpenClaw SSRF Attempt\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable media download paths.\u003c/li\u003e\n\u003cli\u003eImplement strict network segmentation to limit the impact of a successful SSRF attack by restricting access to sensitive internal resources from the OpenClaw server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-ssrf/","summary":"OpenClaw before 2026.4.8 is vulnerable to server-side request forgery (SSRF) in QQ Bot media download paths, allowing attackers to bypass SSRF protections and access internal resources.","title":"OpenClaw QQ Bot Media Download SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-41404"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","authentication","cve-2026-41404"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.31 is vulnerable to a privilege escalation flaw within its trusted-proxy authentication mechanism. This vulnerability, identified as CVE-2026-41404, stems from an incomplete scope clearing process. The core issue lies in the ability for attackers to declare operator scopes on clients that are not part of the Control-UI. This leads to a situation where these self-declared scopes are erroneously persisted on authentication paths that bear identity. This allows an attacker to escalate their privileges to operator.admin, effectively gaining administrative control over the OpenClaw instance. This poses a significant risk to the confidentiality, integrity, and availability of systems relying on OpenClaw for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenClaw instance using trusted-proxy authentication mode.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a request to a non-Control-UI client, declaring operator scopes within the authentication header.\u003c/li\u003e\n\u003cli\u003eOpenClaw\u0026rsquo;s incomplete scope clearing mechanism fails to remove the attacker-declared operator scopes.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates through an identity-bearing authentication path.\u003c/li\u003e\n\u003cli\u003eDue to the persisted operator scopes, the attacker is granted elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the escalated operator.admin privileges to perform unauthorized actions. This could include modifying configurations, accessing sensitive data, or disrupting services.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access by creating new administrator accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain operator.admin privileges within the OpenClaw environment. This can lead to complete control over the affected OpenClaw instance. Consequences include unauthorized access to sensitive data, modification of system configurations, and disruption of services. The severity is compounded by the fact that the vulnerability exists in the authentication mechanism, potentially affecting all users and systems relying on OpenClaw for access control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41404.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on authentication headers to prevent the declaration of unauthorized scopes.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenClaw Unauthorized Scope Declaration\u003c/code\u003e to monitor for suspicious authentication requests.\u003c/li\u003e\n\u003cli\u003eReview and audit existing OpenClaw configurations to identify and remove any unauthorized operator scopes.\u003c/li\u003e\n\u003cli\u003eMonitor logs for successful logins with unexpected admin privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-privilege-escalation/","summary":"OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation by declaring operator scopes on non-Control-UI clients.","title":"OpenClaw Privilege Escalation via Trusted Proxy Authentication (CVE-2026-41404)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-42428"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["vulnerability","plugin","integrity","CVE-2026-42428"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.4.8 are susceptible to a critical vulnerability (CVE-2026-42428) due to the lack of integrity verification for downloaded plugin archives. This flaw allows a malicious actor to install crafted or tampered plugin packages onto a user\u0026rsquo;s system without any validation or warning. Successful exploitation grants the attacker the ability to compromise the OpenClaw assistant environment, potentially leading to arbitrary code execution, data theft, or other malicious activities. The vulnerability was reported on April 28, 2026, and poses a significant risk to users who rely on OpenClaw for their assistant needs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target running a vulnerable version of OpenClaw (prior to 2026.4.8).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious plugin archive containing malicious code or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker entices the user to download the malicious plugin archive, potentially through social engineering or by hosting it on a compromised website.\u003c/li\u003e\n\u003cli\u003eThe user installs the malicious plugin archive via OpenClaw\u0026rsquo;s plugin installation mechanism.\u003c/li\u003e\n\u003cli\u003eDue to the missing integrity check, OpenClaw installs the plugin without verifying its authenticity or integrity.\u003c/li\u003e\n\u003cli\u003eThe malicious plugin is loaded and executed within the OpenClaw environment.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the OpenClaw assistant environment and executes malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as stealing data, installing malware, or compromising other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42428 allows attackers to compromise the local OpenClaw assistant environment. The lack of integrity verification means a malicious plugin can execute arbitrary code, potentially leading to data theft, system compromise, or further lateral movement within the network. The severity is high due to the potential for complete system compromise and the relative ease of exploitation, requiring only that a user install a malicious plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42428.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious OpenClaw Plugin Installation\u0026rdquo; to detect the installation of unsigned or suspicious plugins.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of installing plugins from untrusted sources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-plugin-vuln/","summary":"OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives, allowing attackers to install malicious plugins and compromise the local assistant environment.","title":"OpenClaw Plugin Archive Integrity Vulnerability (CVE-2026-42428)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-plugin-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41405"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["medium"],"_cs_tags":["resource-exhaustion","webhook","cve-2026-41405"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.31 is vulnerable to a resource exhaustion attack due to improper handling of MS Teams webhook requests. The application parses the request body before validating the JWT, which allows unauthenticated attackers to send malicious payloads. By sending specially crafted Teams webhook payloads, attackers can bypass authentication checks and exhaust server resources. This vulnerability, identified as CVE-2026-41405, can lead to denial of service and impacts systems where OpenClaw is used to process MS Teams webhooks. Successful exploitation can severely degrade or halt OpenClaw\u0026rsquo;s functionality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an OpenClaw instance processing MS Teams webhooks.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious MS Teams webhook payload designed to consume excessive resources during parsing.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious webhook payload to the OpenClaw endpoint.\u003c/li\u003e\n\u003cli\u003eOpenClaw receives the webhook request and begins parsing the request body \u003cem\u003ebefore\u003c/em\u003e JWT validation.\u003c/li\u003e\n\u003cli\u003eThe malicious payload triggers excessive resource consumption (CPU, memory) during the parsing stage.\u003c/li\u003e\n\u003cli\u003eThe parsing process exhausts available server resources.\u003c/li\u003e\n\u003cli\u003eOpenClaw becomes unresponsive or crashes due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eLegitimate MS Teams webhook requests are no longer processed, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition, rendering OpenClaw unresponsive. This can disrupt any services relying on OpenClaw for MS Teams webhook processing. While the precise number of affected organizations is unknown, any organization using a vulnerable version of OpenClaw is at risk. The impact includes potential loss of data, interrupted workflows, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41405.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the MS Teams webhook endpoint to mitigate resource exhaustion, even after patching.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e, product \u003ccode\u003elinux\u003c/code\u003e) for unusual traffic patterns and large request sizes to the MS Teams webhook endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect High Number of Requests to Teams Webhook\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-resource-exhaustion/","summary":"OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to exhaust server resources by sending malicious Teams webhook payloads.","title":"OpenClaw MS Teams Webhook Resource Exhaustion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-resource-exhaustion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-41387"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["vulnerability","supply-chain","environment-variable"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.22 contain a vulnerability related to incomplete sanitization of host environment variables. This flaw, found in \u003ccode\u003ehost-env-security-policy.json\u003c/code\u003e and \u003ccode\u003ehost-env-security.ts\u003c/code\u003e, allows for the overriding of package manager environment settings. An attacker can leverage this vulnerability to redirect approved execution requests, manipulating the package resolution process or the runtime bootstrap. By doing so, they can point these processes to attacker-controlled infrastructure. This enables the execution of trojanized content, potentially leading to supply chain attacks or arbitrary code execution within the affected environment. The vulnerability is identified as CVE-2026-41387.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an OpenClaw instance running a version prior to 2026.3.22.\u003c/li\u003e\n\u003cli\u003eAttacker crafts malicious environment variables designed to override the package manager\u0026rsquo;s default settings.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers an approved execution request within the OpenClaw environment.\u003c/li\u003e\n\u003cli\u003eDue to the incomplete sanitization, the attacker-controlled environment variables are used by the package manager.\u003c/li\u003e\n\u003cli\u003eThe package manager is redirected to the attacker\u0026rsquo;s infrastructure for package resolution or runtime bootstrap.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s infrastructure serves trojanized content disguised as legitimate packages or runtime components.\u003c/li\u003e\n\u003cli\u003eOpenClaw executes the trojanized content, granting the attacker initial access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41387 can lead to the execution of arbitrary code within the OpenClaw environment. This can result in compromised systems, data breaches, or supply chain attacks. Due to the nature of package management redirection, the impact could extend beyond the initial target, affecting other systems relying on the compromised OpenClaw instance. The vulnerability has a CVSS v3.1 score of 7.8, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.22 or later to remediate the vulnerability described in CVE-2026-41387.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation on environment variables used by OpenClaw, focusing on package manager settings, to prevent redirection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to unusual or untrusted domains during package resolution or runtime bootstrap, as this may indicate an attempted redirection attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-env-vuln/","summary":"OpenClaw before 2026.3.22 is vulnerable to incomplete host environment variable sanitization, allowing attackers to redirect package resolution or runtime bootstrap to attacker-controlled infrastructure and execute trojanized content.","title":"OpenClaw Incomplete Host Environment Variable Sanitization Vulnerability (CVE-2026-41387)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-env-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-41380"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["cve-2026-41380","execution-approval-bypass","privilege-escalation","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a software of undetermined function, is vulnerable to an execution approval bypass (CVE-2026-41380) affecting versions prior to 2026.3.28. The vulnerability resides in \u003ccode\u003eexec-approvals-allowlist.ts\u003c/code\u003e, where the system incorrectly trusts wrapper carrier executables instead of the actual invoked targets. This flaw allows attackers to manipulate positional carrier executable routing through dispatch wrappers. By exploiting this, attackers can establish overly broad allowlist entries, effectively weakening the intended execution approval boundaries. This vulnerability was reported on April 28, 2026, and poses a significant risk by allowing unauthorized code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a system with OpenClaw installed, potentially through social engineering or exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a dispatch wrapper executable that is already on the allowlist.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload to be executed through the identified wrapper.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages positional carrier executable routing to pass the malicious payload to the wrapper.\u003c/li\u003e\n\u003cli\u003eOpenClaw\u0026rsquo;s \u003ccode\u003eexec-approvals-allowlist.ts\u003c/code\u003e incorrectly trusts the wrapper, adding it to the allow-always list.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands using the allowlisted wrapper with the malicious payload, bypassing intended restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by executing privileged commands through the bypassed execution approval mechanism.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by utilizing the now-trusted wrapper to execute malicious code repeatedly.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41380 allows attackers to bypass intended execution restrictions within OpenClaw. This can lead to arbitrary code execution, privilege escalation, and persistent malicious activity. The vulnerability allows attackers to effectively weaken the security posture of systems relying on OpenClaw\u0026rsquo;s execution approval mechanisms, potentially leading to complete system compromise. The precise number of affected installations is unknown, but any system running a vulnerable version of OpenClaw is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.28 or later to remediate CVE-2026-41380.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious OpenClaw Wrapper Execution\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview existing allowlist entries within OpenClaw to identify and remove any overly broad or suspicious entries that may have been created through exploitation of CVE-2026-41380.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw\u0026rsquo;s logs for unexpected or unauthorized execution events related to wrapper executables as described in the vulnerability details.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-exec-approval-bypass/","summary":"OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows attackers to bypass intended execution restrictions by exploiting trust relationships with wrapper carrier executables, leading to privilege escalation and defense evasion.","title":"OpenClaw Execution Approval Bypass Vulnerability (CVE-2026-41380)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-exec-approval-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-41384"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["environment-variable-injection","code-execution","cve-2026-41384"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a CLI tool, is vulnerable to environment variable injection (CVE-2026-41384) in versions prior to 2026.3.24. The vulnerability resides in the CLI backend runner and allows attackers to inject malicious environment variables into the backend process. This is achieved by crafting malicious workspace configurations. Successful exploitation can lead to arbitrary code execution within the context of the OpenClaw process or exposure of sensitive information handled by the application. This vulnerability poses a significant risk to systems using affected versions of OpenClaw, potentially allowing attackers to compromise the confidentiality, integrity, and availability of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious OpenClaw workspace configuration file. This file contains specially crafted environment variables designed to inject malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to a system where OpenClaw is installed, either through local access or by compromising an account that has access to modify OpenClaw workspace configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the existing OpenClaw workspace configuration or creates a new one with the malicious environment variables.\u003c/li\u003e\n\u003cli\u003eThe user or system executes a command using the OpenClaw CLI, triggering the backend runner.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw CLI backend runner parses the workspace configuration file, including the attacker-controlled environment variables.\u003c/li\u003e\n\u003cli\u003eThe backend runner spawns a new process, inheriting the injected environment variables.\u003c/li\u003e\n\u003cli\u003eThe injected environment variables cause the spawned process to execute arbitrary code, potentially downloading and executing malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, enabling them to perform various malicious activities such as data exfiltration, privilege escalation, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-41384) allows attackers to inject arbitrary environment variables, potentially leading to code execution or sensitive data exposure. Given the nature of CLI tools often used in automated scripting and deployment pipelines, this could lead to widespread compromise across multiple systems. The severity is rated as HIGH with a CVSS v3.1 score of 7.8.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.24 or later to remediate CVE-2026-41384.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit who can modify OpenClaw workspace configurations to prevent unauthorized injection of malicious environment variables.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by OpenClaw, using the \u003ccode\u003eOpenClaw Suspicious Child Processes\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on OpenClaw workspace configuration files to detect unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-env-injection/","summary":"OpenClaw before 2026.3.24 is vulnerable to environment variable injection, allowing attackers to inject malicious environment variables through crafted workspace configurations in the CLI backend, leading to potential code execution or sensitive data exposure.","title":"OpenClaw Environment Variable Injection Vulnerability (CVE-2026-41384)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-env-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41383"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["cve-2026-41383","directory-traversal","file-deletion","openclaw"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.4.2 is susceptible to an arbitrary directory deletion vulnerability (CVE-2026-41383) when operating in mirror mode. An attacker with control over the OpenShell configuration paths, specifically \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e, can trigger the deletion of unintended remote directory contents. This is achieved by manipulating these configuration values to point to sensitive directories. The subsequent mirror sync operation replaces the deleted contents with data from the attacker\u0026rsquo;s workspace, leading to data loss and potential system compromise. This vulnerability allows an attacker to potentially wipe out important data on the remote end.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the OpenClaw configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and/or \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e configuration values to point to a target directory they wish to delete.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a mirror sync operation.\u003c/li\u003e\n\u003cli\u003eOpenClaw, using the attacker-controlled path, connects to the remote system.\u003c/li\u003e\n\u003cli\u003eOpenClaw deletes the contents of the directory specified by the modified \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e or \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOpenClaw uploads the contents of the attacker\u0026rsquo;s local workspace to the now-empty remote directory, effectively replacing the original data.\u003c/li\u003e\n\u003cli\u003eThe targeted remote directory now contains the attacker\u0026rsquo;s data instead of the original contents.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary directory deletion and data replacement, potentially causing significant disruption and data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to arbitrary deletion of files and directories on the remote system where OpenClaw is used in mirror mode. The impact includes potential data loss, service disruption, and the replacement of legitimate data with attacker-controlled content. Given the CVSS v3.1 score of 8.1, this vulnerability is considered high severity due to the potential for significant data integrity and availability impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.2 or later to remediate CVE-2026-41383.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw configuration files for unauthorized modifications to \u003ccode\u003eremoteWorkspaceDir\u003c/code\u003e and \u003ccode\u003eremoteAgentWorkspaceDir\u003c/code\u003e using a file integrity monitoring system.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to OpenClaw configuration files to prevent unauthorized modification of these settings.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious process execution related to modification of openclaw configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T12:00:00Z","date_published":"2026-04-29T12:00:00Z","id":"/briefs/2026-04-openclaw-directory-deletion/","summary":"OpenClaw before 2026.4.2 is vulnerable to arbitrary directory deletion in mirror mode, enabling attackers to delete remote directories by manipulating remoteWorkspaceDir and remoteAgentWorkspaceDir configuration values.","title":"OpenClaw Arbitrary Directory Deletion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-directory-deletion/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-42432"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","cve-2026-42432"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, a local assistant system, is vulnerable to a privilege escalation attack. CVE-2026-42432 affects versions prior to 2026.4.8. Attackers who have previously paired a node with the OpenClaw system can bypass re-pairing authentication. This allows them to reconnect with the ability to execute commands that should require \u003ccode\u003eoperator.admin\u003c/code\u003e scope. The vulnerability enables unauthorized execution of privileged commands on the local assistant system, potentially leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker initially pairs a node with the OpenClaw system, establishing a legitimate connection.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw system is upgraded to a version prior to 2026.4.8, or remains on a vulnerable version.\u003c/li\u003e\n\u003cli\u003eThe attacker disconnects the previously paired node.\u003c/li\u003e\n\u003cli\u003eThe attacker reconnects the node to the OpenClaw system.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the re-pairing authentication process is bypassed.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the bypassed authentication to send commands to the OpenClaw system.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw system processes these commands as if they were authorized by an administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker executes privileged commands, gaining unauthorized control over the local assistant system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary commands with elevated privileges on the OpenClaw system. This can lead to complete compromise of the local assistant system, potentially affecting other connected devices or systems. The vulnerability could be exploited to steal sensitive data, install malware, or disrupt critical services. The impact is high due to the potential for full system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42432.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of compromised OpenClaw systems.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw logs for unusual command execution patterns after node reconnections, using a rule similar to the provided \u0026ldquo;Detect OpenClaw Unauthorized Command Execution\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T19:37:47Z","date_published":"2026-04-28T19:37:47Z","id":"/briefs/2026-04-openclaw-privesc/","summary":"OpenClaw before 2026.4.8 contains a privilege escalation vulnerability that allows previously paired nodes to reconnect and execute privileged commands without proper authorization, potentially leading to complete system compromise.","title":"OpenClaw Privilege Escalation Vulnerability (CVE-2026-42432)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-42426"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","vulnerability"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.4.8 are vulnerable to an improper authorization flaw (CVE-2026-42426). The vulnerability resides within the \u003ccode\u003enode.pair.approve\u003c/code\u003e method, which erroneously accepts the \u003ccode\u003eoperator.write\u003c/code\u003e scope instead of the intended \u003ccode\u003eoperator.pairing\u003c/code\u003e scope. This oversight enables users possessing \u003ccode\u003eoperator.write\u003c/code\u003e permissions, which are typically less privileged, to circumvent the intended node pairing approval process. Successful exploitation allows unauthorized access to nodes capable of executing commands (\u003ccode\u003eexec\u003c/code\u003e-capable nodes). This vulnerability was publicly disclosed in April 2026 and presents a significant risk to OpenClaw deployments, potentially leading to unauthorized command execution and data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains \u003ccode\u003eoperator.write\u003c/code\u003e permissions, potentially through compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eAttacker identifies an \u003ccode\u003eexec\u003c/code\u003e-capable node that requires pairing.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a request to the \u003ccode\u003enode.pair.approve\u003c/code\u003e method, using their \u003ccode\u003eoperator.write\u003c/code\u003e credentials.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enode.pair.approve\u003c/code\u003e method incorrectly validates the \u003ccode\u003eoperator.write\u003c/code\u003e scope, instead of requiring \u003ccode\u003eoperator.pairing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe node pairing request is approved despite the attacker lacking the proper \u003ccode\u003eoperator.pairing\u003c/code\u003e permission.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the now-paired \u003ccode\u003eexec\u003c/code\u003e-capable node.\u003c/li\u003e\n\u003cli\u003eAttacker executes arbitrary commands on the compromised node due to the unauthorized pairing.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42426 allows attackers with \u003ccode\u003eoperator.write\u003c/code\u003e permissions to bypass node pairing restrictions and gain unauthorized access to \u003ccode\u003eexec\u003c/code\u003e-capable nodes. This can lead to arbitrary command execution on the affected nodes, potentially leading to data breaches, system compromise, or denial-of-service conditions. The severity of the impact depends on the capabilities and data accessible to the compromised node.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.8 or later to patch CVE-2026-42426.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw logs for attempts to call the \u003ccode\u003enode.pair.approve\u003c/code\u003e method using accounts with only \u003ccode\u003eoperator.write\u003c/code\u003e permissions. Deploy the Sigma rule to detect this activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access control policies to minimize the risk of unauthorized users obtaining \u003ccode\u003eoperator.write\u003c/code\u003e permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T19:37:46Z","date_published":"2026-04-28T19:37:46Z","id":"/briefs/2026-04-openclaw-auth-bypass/","summary":"OpenClaw before 2026.4.8 contains an improper authorization vulnerability (CVE-2026-42426) allowing attackers with `operator.write` permissions to bypass node pairing approval and gain unauthorized access to `exec`-capable nodes by exploiting the `node.pair.approve` method which incorrectly accepts the `operator.write` scope instead of the narrower `operator.pairing` scope.","title":"OpenClaw Improper Authorization Vulnerability (CVE-2026-42426)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-41399"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","websocket","cve"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw, in versions prior to 2026.3.28, suffers from a denial-of-service vulnerability due to a lack of pre-authentication budget allocation for WebSocket upgrades. This flaw allows unauthenticated network attackers to initiate a large number of concurrent WebSocket upgrade requests without any resource constraints. By exploiting this, an attacker can exhaust the server\u0026rsquo;s socket and worker capacity, effectively preventing legitimate clients from establishing WebSocket connections and disrupting normal service operation. This vulnerability poses a risk to any OpenClaw deployment accessible over a network, as it can be exploited without requiring any prior authentication or privileged access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an OpenClaw server accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a large number of WebSocket upgrade requests to the server. These requests are crafted to initiate the WebSocket handshake process.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw server accepts these requests without pre-authentication checks or resource limits.\u003c/li\u003e\n\u003cli\u003eEach incoming WebSocket upgrade request consumes server resources, including sockets and worker threads.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to flood the server with upgrade requests, rapidly exhausting available resources.\u003c/li\u003e\n\u003cli\u003eAs resources become scarce, the server\u0026rsquo;s ability to handle legitimate client requests degrades.\u003c/li\u003e\n\u003cli\u003eEventually, the server\u0026rsquo;s socket and worker capacity is fully exhausted, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eLegitimate clients are unable to establish WebSocket connections, disrupting application functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, preventing legitimate users from accessing OpenClaw services. The number of affected users depends on the scale of the OpenClaw deployment and the number of concurrent users it typically supports. Organizations relying on OpenClaw for critical functions could experience significant disruptions and potential data loss if the service becomes unavailable. The vulnerability allows a single attacker to disrupt the service without requiring any credentials or prior access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.28 or later to remediate the vulnerability (CVE-2026-41399).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on WebSocket upgrade requests to mitigate the impact of malicious requests. Deploy the Sigma rule \u003ccode\u003eDetect Excessive WebSocket Upgrade Requests\u003c/code\u003e to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for a high volume of WebSocket upgrade requests originating from a single source IP address. Use the Sigma rule \u003ccode\u003eDetect High Volume of WebSocket Upgrade Requests from Single IP\u003c/code\u003e to detect this pattern.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T19:37:43Z","date_published":"2026-04-28T19:37:43Z","id":"/briefs/2026-04-openclaw-dos/","summary":"OpenClaw before 2026.3.28 is vulnerable to a denial-of-service attack by accepting unbounded concurrent unauthenticated WebSocket upgrades, allowing attackers to exhaust server resources.","title":"OpenClaw Unauthenticated WebSocket Denial-of-Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41364"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["symlink","file-write","sandbox-escape"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions before 2026.3.31 are vulnerable to a symlink following issue within the SSH sandbox tar upload functionality. This vulnerability, identified as CVE-2026-41364, allows a remote attacker with the ability to upload tar archives to the OpenClaw instance to potentially escape the intended sandbox environment. By crafting a malicious tar archive containing carefully constructed symbolic links, an attacker can overwrite arbitrary files on the remote host, leading to a compromise of the system\u0026rsquo;s integrity. This vulnerability was reported and patched in version 2026.3.31. Defenders need to ensure they are running patched versions to mitigate the risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the OpenClaw instance via SSH, gaining access to the restricted sandbox environment.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious tar archive containing symbolic links pointing outside the intended sandbox directory. These symlinks are designed to target specific files or directories on the host system that the attacker wishes to overwrite.\u003c/li\u003e\n\u003cli\u003eAttacker uploads the malicious tar archive to the OpenClaw instance using the SSH sandbox tar upload functionality.\u003c/li\u003e\n\u003cli\u003eOpenClaw extracts the contents of the uploaded tar archive without properly validating or restricting the target paths of the symbolic links.\u003c/li\u003e\n\u003cli\u003eDuring extraction, the symbolic links are followed, causing files to be written outside the intended sandbox directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites arbitrary files on the remote host with attacker-controlled content.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution or persistence by overwriting critical system files or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by modifying binaries used by privileged users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker with low privileges to write arbitrary files on the OpenClaw server. This can lead to a variety of impacts, including arbitrary code execution, privilege escalation, and denial of service. An attacker could potentially gain complete control over the OpenClaw server by overwriting critical system files. Given the potential for complete system compromise, this vulnerability poses a significant risk to organizations using affected versions of OpenClaw.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41364.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Tar Archive Upload with Symlinks\u0026rdquo; to detect attempts to upload malicious tar archives containing symbolic links.\u003c/li\u003e\n\u003cli\u003eMonitor SSH logs for suspicious activity related to tar archive uploads to the OpenClaw instance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T00:16:25Z","date_published":"2026-04-28T00:16:25Z","id":"/briefs/2026-04-openclaw-symlink/","summary":"OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files by uploading a malicious tar archive containing symlinks, leading to arbitrary file write on the remote host.","title":"OpenClaw Symlink Vulnerability in SSH Sandbox Tar Upload (CVE-2026-41364)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-symlink/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-41352"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["critical"],"_cs_tags":["rce","vulnerability","cve-2026-41352"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.31 suffers from a remote code execution vulnerability (CVE-2026-41352). This flaw exists because a device-paired node can bypass the node scope gate authentication mechanism. An attacker who has already obtained device pairing credentials can exploit this vulnerability to execute arbitrary node commands on the host system. This occurs because the application doesn\u0026rsquo;t perform adequate node pairing validation, allowing malicious actors to potentially gain complete control over the affected system if successfully exploited. Defenders should prioritize patching to version 2026.3.31 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the OpenClaw system. This may involve social engineering or other means of obtaining device pairing credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the device pairing credentials to authenticate to a device-paired node.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute a node command on the host system.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check (CWE-862), the node scope gate authentication mechanism is bypassed.\u003c/li\u003e\n\u003cli\u003eThe system incorrectly validates the request, failing to properly verify node pairing.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully executes an arbitrary node command on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, potentially gaining full control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform malicious activities such as data exfiltration, system compromise, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41352 allows an attacker with valid device pairing credentials to execute arbitrary commands on the host system. This can lead to a complete compromise of the OpenClaw system and potentially the entire network. The number of potential victims is dependent on the number of deployments of OpenClaw before version 2026.3.31. The impact includes data breaches, system downtime, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41352.\u003c/li\u003e\n\u003cli\u003eMonitor OpenClaw systems for unauthorized command execution attempts. While no specific IOCs are available, monitor for unexpected process executions originating from the OpenClaw application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T12:00:00Z","date_published":"2026-04-24T12:00:00Z","id":"/briefs/2026-04-openclaw-rce/","summary":"OpenClaw before 2026.3.31 is vulnerable to remote code execution (CVE-2026-41352) because a device-paired node can bypass the node scope gate authentication mechanism, allowing attackers with device pairing credentials to execute arbitrary node commands.","title":"OpenClaw Remote Code Execution via Node Scope Gate Bypass (CVE-2026-41352)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-41347"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["medium"],"_cs_tags":["csrf","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.3.31 is susceptible to Cross-Site Request Forgery (CSRF) attacks. The vulnerability lies in the lack of browser-origin validation within the HTTP operator endpoints when the application operates in trusted-proxy mode. This allows an attacker to craft malicious HTTP requests originating from a user\u0026rsquo;s browser to perform unauthorized actions within the OpenClaw application. Successful exploitation of this vulnerability enables attackers to execute privileged operations, potentially leading to data modification or unauthorized access to sensitive functionalities. This vulnerability requires the application to be deployed in trusted-proxy mode to be exploitable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTML page containing a forged HTTP request targeting a vulnerable OpenClaw HTTP operator endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker hosts the malicious HTML page on a website or delivers it through phishing.\u003c/li\u003e\n\u003cli\u003eA victim user, authenticated to the OpenClaw application, visits the malicious HTML page in their browser.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser automatically sends the forged HTTP request to the vulnerable OpenClaw endpoint.\u003c/li\u003e\n\u003cli\u003eBecause the OpenClaw application lacks proper browser-origin validation, it processes the forged request.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to perform unauthorized actions as the authenticated user.\u003c/li\u003e\n\u003cli\u003eThe attacker can modify user configurations or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CSRF vulnerability in OpenClaw can lead to unauthorized modification of application settings, data manipulation, or even complete account takeover. While specific victim numbers are unavailable, the impact extends to any organization utilizing OpenClaw in a trusted-proxy deployment scenario. The vulnerability can potentially compromise data integrity and confidentiality, leading to significant operational disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41347.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect suspicious HTTP requests lacking proper origin validation within your web server logs.\u003c/li\u003e\n\u003cli\u003eImplement proper CSRF protection mechanisms, such as synchronizer tokens, in OpenClaw\u0026rsquo;s HTTP operator endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T12:00:00Z","date_published":"2026-04-24T12:00:00Z","id":"/briefs/2026-04-openclaw-csrf/","summary":"OpenClaw before 2026.3.31 is vulnerable to cross-site request forgery (CSRF) attacks due to missing browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing attackers to perform unauthorized actions.","title":"OpenClaw Cross-Site Request Forgery Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-csrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-41336"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["cve","code-execution","environment-variable-override"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.31 are susceptible to an arbitrary code execution vulnerability, tracked as CVE-2026-41336. This flaw stems from the application\u0026rsquo;s insecure handling of environment variables. Specifically, the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, which dictates the directory from which OpenClaw loads bundled hooks, can be overridden by a workspace-specific .env file. This allows a malicious actor to craft a .env file within an untrusted workspace that points to a directory containing attacker-controlled hook code. Upon loading the workspace, OpenClaw will execute the malicious code, effectively granting the attacker arbitrary code execution within the application\u0026rsquo;s context. This vulnerability poses a significant risk to systems utilizing OpenClaw, as it can lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker creates a malicious hook code file (e.g., \u003ccode\u003eevil_hook.py\u003c/code\u003e) containing arbitrary code to be executed.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a directory (e.g., \u003ccode\u003e/tmp/evil_hooks\u003c/code\u003e) and places the malicious hook code file within it.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a \u003ccode\u003e.env\u003c/code\u003e file containing the line \u003ccode\u003eOPENCLAW_BUNDLED_HOOKS_DIR=/tmp/evil_hooks\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious \u003ccode\u003e.env\u003c/code\u003e file into a workspace that a victim user is likely to open within OpenClaw.\u003c/li\u003e\n\u003cli\u003eThe victim user opens the workspace within OpenClaw.\u003c/li\u003e\n\u003cli\u003eOpenClaw reads the \u003ccode\u003e.env\u003c/code\u003e file and overrides the default \u003ccode\u003eOPENCLAW_BUNDLED_HOOKS_DIR\u003c/code\u003e with the attacker-controlled path \u003ccode\u003e/tmp/evil_hooks\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eOpenClaw loads and executes the malicious hook code from \u003ccode\u003eevil_hook.py\u003c/code\u003e, granting the attacker arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the OpenClaw process and potentially the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41336 allows an attacker to execute arbitrary code within the context of the OpenClaw application. This could lead to the complete compromise of the affected system, including data theft, modification, or destruction. Given the nature of the vulnerability, any system running a vulnerable version of OpenClaw is at risk if it processes untrusted workspaces. The CVSS v3.1 base score of 7.8 reflects the high potential impact of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41336.\u003c/li\u003e\n\u003cli\u003eImplement strict workspace validation to prevent the loading of malicious \u003ccode\u003e.env\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eMonitor process creations originating from the OpenClaw process for suspicious activity using the \u003ccode\u003eOpenClaw Suspicious Process Creation\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eOpenClaw Environment Variable Override\u003c/code\u003e Sigma rule to detect attempts to override the OPENCLAW_BUNDLED_HOOKS_DIR variable.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T12:00:00Z","date_published":"2026-04-24T12:00:00Z","id":"/briefs/2026-04-openclaw-env-override/","summary":"OpenClaw before 2026.3.31 allows attackers to execute arbitrary code by overriding the OPENCLAW_BUNDLED_HOOKS_DIR environment variable using a workspace .env file, enabling the loading of attacker-controlled hook code.","title":"OpenClaw Arbitrary Code Execution via Environment Variable Override (CVE-2026-41336)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-env-override/"}],"language":"en","title":"CraftedSignal Threat Feed — Openclaw","version":"https://jsonfeed.org/version/1.1"}