Improper Trust Boundary Vulnerability in OpenClaw Products by OpenClaw
CVE-2026-41295

8.5HIGH

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-41295?

OpenClaw versions prior to 2026.4.2 exhibit a vulnerability that permits untrusted workspace channel shadows to execute during the setup and login of built-in channels. This vulnerability allows attackers to clone workspaces using malicious plugins that claim a bundled channel ID, leading to unintended in-process code execution prior to the explicit trust of the plugin. It poses a significant risk as it undermines the integrity of the application by enabling the execution of unverified code.

Affected Version(s)

OpenClaw 0 < 2026.4.2

OpenClaw 2026.4.2

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/53c29df2a9eb2...

patch

https://www.vulncheck.com/advisories/openclaw-untrusted-w...

third-party-advisory

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

Peng Zhou (@zpbrent)

CVE-2026-41295 Data

JSON

Openclaw

What is CVE-2026-41295?

Affected Version(s)

References

CVSS V4

Timeline

Credit