CVE-2026-42423

· NIST NVD ↗

OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary.

HIGH
CVSS severity
7.5
CVSS base score
2026-04-28
Published

CWE codes

CWE-636

Affected products

openclaw:openclaw

Sources