CVE-2026-41295

· NIST NVD ↗

OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process code execution before the plugin is explicitly trusted.

HIGH
CVSS severity
7.8
CVSS base score
2026-04-21
Published

CWE codes

CWE-829

Affected products

openclaw:openclaw

Sources