CVE-2026-42423
HIGHOpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallback
Title source: cnaDescription
OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-q2gc-xjqw-qp89)
https://github.com/openclaw/openclaw/security/advisories/GHSA-q2gc-xjqw-qp89
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallback
https://www.vulncheck.com/advisories/openclaw-strictinlineeval-approval-boundary-bypass-via-approval-timeout-fallback
Scores
CVSS v3
7.5
EPSS
0.0004
EPSS Percentile
12.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-636
Status
published
Products (2)
OpenClaw/OpenClaw
< 2026.4.8
OpenClaw/OpenClaw
2026.4.8
Published
Apr 28, 2026
Tracked Since
Apr 29, 2026