Compliance Impact

CVE-2026-35641 allows arbitrary local code execution during the installation of local plugins or hooks in OpenClaw by exploiting a maliciously crafted .npmrc file. This vulnerability can lead to unauthorized access, modification, or disruption of system confidentiality, integrity, and availability.

Such unauthorized code execution and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and system security.

Specifically, the high impact on confidentiality, integrity, and availability indicated by the CVSS scores suggests that sensitive data could be exposed or altered, violating regulatory requirements for protecting personal or health information.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35641 is a high-severity arbitrary code execution vulnerability in OpenClaw versions before 2026.3.24. It occurs during the installation of local plugins or hooks when an attacker crafts a malicious .npmrc file that overrides the Git executable path used by npm.

During the npm install process in a staged package directory, npm reads this attacker-controlled .npmrc file. If the package includes Git dependencies, npm will invoke the malicious Git executable specified in the .npmrc file, leading to execution of arbitrary code controlled by the attacker.

This vulnerability bypasses the intended security boundary and the --ignore-scripts flag used during installation, allowing code execution before the plugin or hook is trusted.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code locally on your system during the installation of untrusted local plugins or hooks in OpenClaw.

• Arbitrary local code execution can compromise system confidentiality, integrity, and availability.
• It can lead to unauthorized actions, data breaches, or system disruption by executing malicious programs.
• The attack requires local access and user interaction but no special privileges.
• Because it occurs before trust is established in the plugin or hook, it can bypass security controls intended to prevent malicious code execution.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting local plugin or hook package directories for the presence of a malicious or unexpected .npmrc file that overrides the git executable path.

You can manually check for suspicious .npmrc files in staged package directories before running npm install.

A suggested command to detect such malicious .npmrc files is to search for .npmrc files containing a git override configuration, for example:

• grep -r "git=" /path/to/plugin-or-hook-directory/.npmrc

Additionally, monitoring the execution of npm install commands in local plugin or hook installation processes and auditing the git executable path used during these installs can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade OpenClaw to version 2026.3.24 or later, where this vulnerability is fixed.

Until the upgrade is applied, avoid installing untrusted local plugins or hooks that may contain malicious .npmrc files.

As a temporary measure, manually inspect and remove or sanitize any .npmrc files in plugin or hook package directories before running npm install.

Also, consider restricting or monitoring the use of git dependencies in local plugin or hook installations to prevent triggering the malicious git executable override.

Useful 0 Not Useful 0