CVE-2026-43571
Analyzed Analyzed - Analysis Complete
Plugin Trust Bypass in OpenClaw Before 2026.4.10

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: VulnCheck

Description
OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43571
EUVD
EUVD-2026-27293
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

The provided resources do not include specific detection methods or commands to identify the presence of this vulnerability on a network or system.

Executive Summary

CVE-2026-43571 is a plugin trust bypass vulnerability in OpenClaw versions before 2026.4.10. It occurs because channel setup catalog lookups can resolve workspace plugin shadows before bundled channel plugins, allowing malicious workspace plugins to bypass intended trust gates during setup-time plugin loading.

This means attackers can craft malicious plugins that get loaded without proper trust validation, potentially leading to unauthorized code execution or privilege escalation within the OpenClaw environment.

Impact Analysis

This vulnerability can allow attackers to bypass security checks during plugin setup, leading to unauthorized plugin loading.

  • Unauthorized code execution within the OpenClaw environment.
  • Privilege escalation by loading malicious plugins that should have been blocked.
  • Potential misconfigurations or unauthorized changes to the system due to untrusted plugins being installed.
Mitigation Strategies

To mitigate the vulnerability CVE-2026-43571 in OpenClaw, users should upgrade their OpenClaw installation to version 2026.4.10 or later, as these versions include the fix that prevents untrusted workspace plugin shadows from bypassing trust gates during setup-time plugin loading.

The fix involves routing setup catalog lookups through trusted catalog paths and using the excludeWorkspace: true option to exclude workspace shadows where appropriate, ensuring that only trusted plugins are loaded.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43571. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart