Multiple OpenClaw Flaws Enable Code Execution and Consent Bypass
OpenClaw disclosed several high-severity vulnerabilities that can lead to arbitrary code execution and security control bypass across recent releases. CVE-2026-35641 affects versions before 2026.3.24 and lets a malicious local plugin or hook package use a crafted .npmrc file to override the git executable during npm install, resulting in arbitrary program execution. CVE-2026-41349 affects versions before 2026.3.28 and allows low-privileged remote attackers to bypass execution approval through config.patch, silently disabling agentic consent protections. Belgium's Centre for Cybersecurity warned that multiple OpenClaw flaws can lead to RCE and urged immediate patching.
Additional OpenClaw issues published shortly after expand the attack surface. CVE-2026-41336 affects versions before 2026.3.31 and allows workspace .env files to override OPENCLAW_BUNDLED_HOOKS_DIR, causing trusted bundled hooks to be replaced with attacker-controlled code from untrusted workspaces. CVE-2026-41352, also fixed in 2026.3.31, allows a device-paired node to bypass the node scope gate and execute arbitrary node commands on the host without proper pairing validation. Separately, the Node.js package simple-git disclosed CVE-2026-6951, an RCE flaw in versions before 3.36.0 caused by incomplete blocking of Git configuration options, allowing attackers to abuse --config, enable protocol.ext.allow=always, and trigger execution through an ext:: clone source when untrusted input reaches the library's options.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Snyk received simple-git RCE vulnerability report
Snyk received a report for CVE-2026-6951 affecting simple-git versions before 3.36.0. The issue stems from incomplete mitigation of CVE-2022-25912, allowing attackers to use the --config form with ext:: clone sources to achieve remote code execution when untrusted input reaches the options argument.
Belgium CCB warned users to patch OpenClaw immediately
The Centre for Cybersecurity Belgium published an advisory warning that three high-severity OpenClaw vulnerabilities could lead to remote code execution. The advisory urged immediate patching.
Three new OpenClaw high-severity vulnerabilities were disclosed
Three OpenClaw vulnerabilities were disclosed on April 23, 2026: CVE-2026-41336, CVE-2026-41352, and CVE-2026-41349. They affect versions before 2026.3.31 or 2026.3.28 and enable arbitrary hook code execution, node scope gate bypass leading to RCE, and agentic consent bypass via config.patch, respectively.
OpenClaw .npmrc plugin installation RCE vulnerability reported
A vulnerability affecting OpenClaw versions before 2026.3.24 was received by disclosure@vulncheck.com. The flaw allows arbitrary code execution during local plugin or hook installation via a malicious .npmrc file that overrides the git executable used by npm.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
CVE-2026-6951 - SimpleGit Remote Code Execution (RCE)
cvefeed.io
Open sourceWarning: 3 high severity vulnerabilities in OpenClaw can lead to RCE, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceCVE-2026-41336 - OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override
cvefeed.io
Open sourceCVE-2026-41352 - OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass
cvefeed.io
Open sourceCVE-2026-41349 - OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch
cvefeed.io
Open sourceCVE-2026-35641 - OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenClaw Flaws Let Authenticated Users Escalate Privileges and Bypass Authorization
Two high-severity vulnerabilities in OpenClaw exposed paths for authenticated users to gain access beyond their intended roles. **CVE-2026-32042** affects versions before `2026.2.25` and allows an attacker with valid shared gateway authentication to present a self-signed, unpaired device identity and bypass pairing requirements, then self-assign elevated operator scopes including `operator.admin`. The issue is classified as `CWE-863` and effectively turns a trusted but unapproved device identity into a route for privilege escalation. A second flaw, **CVE-2026-32051**, affects OpenClaw versions before `2026.3.1` and allows users with `operator.write` scope to reach owner-only tool surfaces such as gateway and cron through agent runs in scoped-token deployments. The authorization mismatch lets lower-privileged authenticated users perform control-plane actions that should be restricted to owners, creating high risk to confidentiality, integrity, and availability. Advisories for both issues point to fixes and security guidance through GitHub and VulnCheck.
Apr 21, 2026
OpenClaw Vulnerability Enables Token Exfiltration and One-Click RCE via Malicious Link
A high-severity flaw in **OpenClaw** (also known as *Clawdbot* / *Moltbot*) enables **one-click remote code execution (RCE)** by abusing how the Control UI auto-connects to a gateway specified via a crafted URL. The issue is tracked as **CVE-2026-25253** (CVSS **8.8**) and was fixed in **OpenClaw 2026.1.29**; the core weakness is that the UI trusts `gatewayUrl` from the query string and sends a stored gateway token in the WebSocket connection payload, allowing **token exfiltration** to an attacker-controlled server. With the stolen token, an attacker can connect to the victim’s local gateway and perform privileged actions—such as modifying configuration (e.g., sandbox/tool policies) and invoking privileged operations—resulting in **full gateway compromise** and RCE. Separate reporting also highlights architectural risk in OpenClaw’s local WebSocket-based Chrome orchestration, noting that (prior to patching) unauthenticated connections could be initiated from JavaScript running in a user’s browser, enabling cross-tab/session credential theft; users are advised to **patch immediately** and be cautious about deployment given ongoing security concerns.
Mar 21, 2026
Command Injection Flaws Expose OpenClaw and Anthropic Claude Code to RCE
Two high-severity command injection vulnerabilities have been disclosed in developer tooling and automation software, enabling arbitrary command execution through improperly sanitized shell inputs. `CVE-2026-32917` affects OpenClaw versions earlier than `2026.3.13`, where the iMessage attachment staging workflow passes unsanitized remote attachment paths directly into an SCP remote operand. If remote attachment staging is enabled, an unauthenticated attacker can use shell metacharacters in attachment paths to execute commands on configured remote hosts; the flaw is tracked as `CWE-78` and carries a CVSS v3.1 rating of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. A separate issue, `CVE-2026-35020`, impacts Anthropic Claude Code CLI and the Claude Agent SDK, where attacker-controlled input from the `TERMINAL` environment variable can reach `/bin/sh` with `shell=true` through the command lookup helper and deep-link terminal launcher. A local attacker can exploit the bug during normal CLI use or via the deep-link handler to run arbitrary commands with the privileges of the invoking user. Both disclosures highlight continued risk from unsanitized shell metacharacters in application workflows, with OpenClaw publishing a fixing commit and security advisory alongside third-party vulnerability reporting.
Apr 6, 2026