Home

Description

OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scripts before execution without invalidating the approval plan, allowing execution of modified script contents.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-23 | Updated 2026-04-24 | Assigner VulnCheck




MEDIUM: 5.4CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

MEDIUM: 6.7CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Product status

Default status
unaffected

Any version before 2026.4.2
affected

2026.4.2 (semver)
unaffected

Credits

风间映川 (@Kazamayc) reporter

References

github.com/...enclaw/security/advisories/GHSA-w6wx-jq6j-6mcj (GitHub Security Advisory (GHSA-w6wx-jq6j-6mcj)) vendor-advisory

github.com/...ommit/176c059b05357df1bc09d4328a2380670859eeff (Patch Commit) patch

www.vulncheck.com/...bypass-in-pnpm-dlx-local-script-binding (VulnCheck Advisory: OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding) third-party-advisory

cve.org (CVE-2026-41360)

nvd.nist.gov (CVE-2026-41360)

Download JSON