CVE-2026-43571
Analyzed Analyzed - Analysis Complete

Plugin Trust Bypass in OpenClaw Before 2026.4.10

Vulnerability report for CVE-2026-43571, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: VulnCheck

Description

OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-07-06
AI Q&A
2026-05-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-43571 is a plugin trust bypass vulnerability in OpenClaw versions before 2026.4.10. It occurs because channel setup catalog lookups can resolve workspace plugin shadows before bundled channel plugins, allowing malicious workspace plugins to bypass intended trust gates during setup-time plugin loading.

This means attackers can craft malicious plugins that get loaded without proper trust validation, potentially leading to unauthorized code execution or privilege escalation within the OpenClaw environment.

Impact Analysis

This vulnerability can allow attackers to bypass security checks during plugin setup, leading to unauthorized plugin loading.

  • Unauthorized code execution within the OpenClaw environment.
  • Privilege escalation by loading malicious plugins that should have been blocked.
  • Potential misconfigurations or unauthorized changes to the system due to untrusted plugins being installed.
Mitigation Strategies

To mitigate the vulnerability CVE-2026-43571 in OpenClaw, users should upgrade their OpenClaw installation to version 2026.4.10 or later, as these versions include the fix that prevents untrusted workspace plugin shadows from bypassing trust gates during setup-time plugin loading.

The fix involves routing setup catalog lookups through trusted catalog paths and using the excludeWorkspace: true option to exclude workspace shadows where appropriate, ensuring that only trusted plugins are loaded.

Detection Guidance

The provided resources do not include specific detection methods or commands to identify the presence of this vulnerability on a network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43571. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart