Multiple OpenClaw Flaws Enable Code Execution and Consent Bypass
OpenClaw disclosed several high-severity vulnerabilities that can lead to arbitrary code execution and security control bypass across recent releases. CVE-2026-35641 affects versions before 2026.3.24 and lets a malicious local plugin or hook package use a crafted .npmrc file to override the git executable during npm install, resulting in arbitrary program execution. CVE-2026-41349 affects versions before 2026.3.28 and allows low-privileged remote attackers to bypass execution approval through config.patch, silently disabling agentic consent protections. Belgium's Centre for Cybersecurity warned that multiple OpenClaw flaws can lead to RCE and urged immediate patching.
Additional OpenClaw issues published shortly after expand the attack surface. CVE-2026-41336 affects versions before 2026.3.31 and allows workspace .env files to override OPENCLAW_BUNDLED_HOOKS_DIR, causing trusted bundled hooks to be replaced with attacker-controlled code from untrusted workspaces. CVE-2026-41352, also fixed in 2026.3.31, allows a device-paired node to bypass the node scope gate and execute arbitrary node commands on the host without proper pairing validation. Separately, the Node.js package simple-git disclosed CVE-2026-6951, an RCE flaw in versions before 3.36.0 caused by incomplete blocking of Git configuration options, allowing attackers to abuse --config, enable protocol.ext.allow=always, and trigger execution through an ext:: clone source when untrusted input reaches the library's options.
Timeline
Apr 25, 2026
Snyk received simple-git RCE vulnerability report
Snyk received a report for CVE-2026-6951 affecting simple-git versions before 3.36.0. The issue stems from incomplete mitigation of CVE-2022-25912, allowing attackers to use the --config form with ext:: clone sources to achieve remote code execution when untrusted input reaches the options argument.
Apr 24, 2026
Belgium CCB warned users to patch OpenClaw immediately
The Centre for Cybersecurity Belgium published an advisory warning that three high-severity OpenClaw vulnerabilities could lead to remote code execution. The advisory urged immediate patching.
Apr 23, 2026
Three new OpenClaw high-severity vulnerabilities were disclosed
Three OpenClaw vulnerabilities were disclosed on April 23, 2026: CVE-2026-41336, CVE-2026-41352, and CVE-2026-41349. They affect versions before 2026.3.31 or 2026.3.28 and enable arbitrary hook code execution, node scope gate bypass leading to RCE, and agentic consent bypass via config.patch, respectively.
Apr 10, 2026
OpenClaw .npmrc plugin installation RCE vulnerability reported
A vulnerability affecting OpenClaw versions before 2026.3.24 was received by disclosure@vulncheck.com. The flaw allows arbitrary code execution during local plugin or hook installation via a malicious .npmrc file that overrides the git executable used by npm.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
1 more from sources like cvefeed high severity
Related Stories
OpenClaw Flaws Let Authenticated Users Escalate Privileges and Bypass Authorization
Two high-severity vulnerabilities in OpenClaw exposed paths for authenticated users to gain access beyond their intended roles. **CVE-2026-32042** affects versions before `2026.2.25` and allows an attacker with valid shared gateway authentication to present a self-signed, unpaired device identity and bypass pairing requirements, then self-assign elevated operator scopes including `operator.admin`. The issue is classified as `CWE-863` and effectively turns a trusted but unapproved device identity into a route for privilege escalation. A second flaw, **CVE-2026-32051**, affects OpenClaw versions before `2026.3.1` and allows users with `operator.write` scope to reach owner-only tool surfaces such as gateway and cron through agent runs in scoped-token deployments. The authorization mismatch lets lower-privileged authenticated users perform control-plane actions that should be restricted to owners, creating high risk to confidentiality, integrity, and availability. Advisories for both issues point to fixes and security guidance through GitHub and VulnCheck.
1 weeks ago
OpenClaw Vulnerability Enables Token Exfiltration and One-Click RCE via Malicious Link
A high-severity flaw in **OpenClaw** (also known as *Clawdbot* / *Moltbot*) enables **one-click remote code execution (RCE)** by abusing how the Control UI auto-connects to a gateway specified via a crafted URL. The issue is tracked as **CVE-2026-25253** (CVSS **8.8**) and was fixed in **OpenClaw 2026.1.29**; the core weakness is that the UI trusts `gatewayUrl` from the query string and sends a stored gateway token in the WebSocket connection payload, allowing **token exfiltration** to an attacker-controlled server. With the stolen token, an attacker can connect to the victim’s local gateway and perform privileged actions—such as modifying configuration (e.g., sandbox/tool policies) and invoking privileged operations—resulting in **full gateway compromise** and RCE. Separate reporting also highlights architectural risk in OpenClaw’s local WebSocket-based Chrome orchestration, noting that (prior to patching) unauthenticated connections could be initiated from JavaScript running in a user’s browser, enabling cross-tab/session credential theft; users are advised to **patch immediately** and be cautious about deployment given ongoing security concerns.
1 months ago
Command Injection Flaws Expose OpenClaw and Anthropic Claude Code to RCE
Two high-severity command injection vulnerabilities have been disclosed in developer tooling and automation software, enabling arbitrary command execution through improperly sanitized shell inputs. `CVE-2026-32917` affects OpenClaw versions earlier than `2026.3.13`, where the iMessage attachment staging workflow passes unsanitized remote attachment paths directly into an SCP remote operand. If remote attachment staging is enabled, an unauthenticated attacker can use shell metacharacters in attachment paths to execute commands on configured remote hosts; the flaw is tracked as `CWE-78` and carries a CVSS v3.1 rating of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. A separate issue, `CVE-2026-35020`, impacts Anthropic Claude Code CLI and the Claude Agent SDK, where attacker-controlled input from the `TERMINAL` environment variable can reach `/bin/sh` with `shell=true` through the command lookup helper and deep-link terminal launcher. A local attacker can exploit the bug during normal CLI use or via the deep-link handler to run arbitrary commands with the privileges of the invoking user. Both disclosures highlight continued risk from unsanitized shell metacharacters in application workflows, with OpenClaw publishing a fixing commit and security advisory alongside third-party vulnerability reporting.
3 weeks ago