DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-CWQ8-6F96-G3Q4: GHSA-CWQ8-6F96-G3Q4: Fail-Open Security Bypass in OpenClaw Plugin Installation

#security #cve #cybersecurity #ghsa

GHSA-CWQ8-6F96-G3Q4: Fail-Open Security Bypass in OpenClaw Plugin Installation

Vulnerability ID: GHSA-CWQ8-6F96-G3Q4
CVSS Score: 8.8
Published: 2026-04-02

OpenClaw versions prior to March 30, 2026, contain a critical fail-open vulnerability in the plugin installation mechanism. The security scanner designed to block dangerous code patterns fails to halt the installation process when encountering internal errors or critical security findings.

TL;DR

A fail-open flaw in OpenClaw allows malicious plugins to bypass security scans and execute arbitrary code by triggering scanner errors or relying on ignored warnings.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-390
  • Attack Vector: Local / User-Assisted
  • CVSS Score: 8.8 (High)
  • Impact: Arbitrary Code Execution
  • Exploit Status: Proof of Concept Available
  • CISA KEV: Not Listed

Affected Systems

  • OpenClaw Plugin Installer
  • OpenClaw Skills Runtime
  • BuiltinInstallScan Module
  • OpenClaw: < fixed version (March 30, 2026) (Fixed in: commit 7a953a52)

Code Analysis

Commit: 7a953a5

Enforce fail-closed model for plugin installation scans

function buildBlockedScanResult(params: { builtinScan: BuiltinInstallScan; targetLabel: string; }): InstallSecurityScanResult | undefined { if (params.builtinScan.status === "error") { return { blocked: { code: "security_scan_failed", reason: buildScanFailureBlockReason({ /* ... */ }), }, }; } if (params.builtinScan.critical > 0) { return { blocked: { code: "security_scan_blocked", reason: buildCriticalBlockReason({ /* ... */ }), }, }; } return undefined; }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update OpenClaw to a version released after March 30, 2026
  • Run retrospective deep audits on installed plugins
  • Monitor application logs for specific scanner failure strings

Remediation Steps:

  1. Verify the current running version of OpenClaw.
  2. Pull the latest changes or download the latest release containing commit 7a953a52271b9188a5fa830739a4366614ff9916.
  3. Restart the OpenClaw service to ensure the new installation logic is loaded into memory.
  4. Execute the command openclaw security audit --deep to retroactively identify malicious plugins installed prior to patching.
  5. Uninstall any plugins flagged by the audit command.

References

Read the full report for GHSA-CWQ8-6F96-G3Q4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)