Skip to content
CVSS 8.8 · HIGH

CVE-2026-43571

OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.

Ver en NVD

Análisis

OpenClaw appears to be a niche tool or specialized game engine recreation that is not part of the standard web, mobile, or backend developer stack. While the CVSS 8.8 score and the plugin trust bypass are significant for users of this software, it does not meet the threshold for community-wide relevance given its limited deployment.

Severidad

Puntaje: 8.8(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-829

EPSS

Probabilidad de explotación (próx. 30 días): 0.0004 (0.0%)
Percentil: 11.9%
EPSS: 2026-05-06

Descripción técnica

OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.

Publicada: 5/5/2026, 12:16:20
Última modificación: 5/5/2026, 19:32:49

Referencias

InicioEventosBlogRecursosEquipo