CVE-2026-62194 PUBLISHED

OpenClaw 2026.5.20 < 2026.6.9 Privilege Escalation via Plugin Install

Assigner: VulnCheck
Reserved: 13.07.2026 Published: 13.07.2026 Updated: 14.07.2026

OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can exploit misconfigured input paths or enabled features to escalate privileges and perform unauthorized actions when the feature is reachable.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor OpenClaw
Product OpenClaw
Versions Default: unaffected
  • affected from 2026.5.20 to 2026.6.9 (excl.)
  • Version 2026.6.9 is unaffected

Credits

  • Rex Liu (@rexpository) reporter

References

Problem Types

  • Incorrect Permission Assignment for Critical Resource CWE
  • Missing Authorization CWE