CVE-2026-41360 PUBLISHED

OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding

Assigner: VulnCheck
Reserved: 20.04.2026 Published: 23.04.2026 Updated: 23.04.2026

OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script contents.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 5.4

Product Status

Vendor OpenClaw
Product OpenClaw
Versions Default: unaffected
  • affected from 0 to 2026.4.2 (excl.)
  • Version 2026.4.2 is unaffected

Credits

  • 风间映川 (@Kazamayc) reporter

References

Problem Types

  • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE