CVE-2026-42423
Received Received - Intake
Bypass of Inline Eval Approval in OpenClaw Enables Unauthorized Code Execution

Publication date: 2026-04-28

Last updated on: 2026-04-30

Assigner: VulnCheck

Description
OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback to execute inline eval commands that should require explicit user approval, circumventing the intended security boundary.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-42423
EUVD
EUVD-2026-26126
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-42423 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-42423 is a vulnerability in OpenClaw versions before 2026.4.8 that involves a security bypass in the strictInlineEval feature. Normally, inline eval commands require explicit user approval to execute, but due to an approval-timeout fallback mechanism on gateway and node execution hosts, this approval requirement can be bypassed.

This fallback causes the system to 'fail open,' allowing attackers to execute inline eval commands without the necessary explicit user approval, circumventing the intended security boundary.

The issue was fixed in version 2026.4.8 after being reported by security researchers.

Impact Analysis

This vulnerability can allow attackers to execute inline eval commands on affected OpenClaw systems without explicit user approval, potentially leading to unauthorized code execution.

Because the security boundary intended to prevent unauthorized command execution is bypassed, attackers with some level of access could escalate their privileges or perform malicious actions that compromise system integrity and confidentiality.

The vulnerability has a high severity rating, indicating a significant risk if exploited.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-42423, you should upgrade OpenClaw to version 2026.4.8 or later, where the approval-timeout fallback mechanism bypassing the strictInlineEval explicit-approval requirement has been fixed.

This update ensures that inline eval commands require explicit user approval as intended, preventing attackers from exploiting the timeout fallback to execute unauthorized commands.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42423. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart