CVE-2026-41360
MEDIUMOpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding
Title source: cnaDescription
OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script contents.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-w6wx-jq6j-6mcj)
https://github.com/openclaw/openclaw/security/advisories/GHSA-w6wx-jq6j-6mcj
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/176c059b05357df1bc09d4328a2380670859eeff
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding
https://www.vulncheck.com/advisories/openclaw-approval-integrity-bypass-in-pnpm-dlx-local-script-binding
Scores
CVSS v3
6.7
EPSS
0.0009
EPSS Percentile
0.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-367
Status
published
Products (3)
OpenClaw/OpenClaw
< 2026.4.2
openclaw/openclaw
< 2026.4.2
OpenClaw/OpenClaw
2026.4.2
Published
Apr 23, 2026
Tracked Since
Apr 24, 2026