CVE-2026-43571

Published: Mag 05, 2026 Last Modified: Mag 05, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,7

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

HIGH 8,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading.

829

Inclusion of Functionality from Untrusted Control Sphere

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Execute Unauthorized Code Or Commands

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/openclaw/openclaw/commit/1fede43b948df40…

https://github.com/openclaw/openclaw/commit/1fede43b948df40ca8674511d4bd08d39f6…

https://github.com/openclaw/openclaw/security/advisories/GH…

https://github.com/openclaw/openclaw/security/advisories/GHSA-82qx-6vj7-p8m2

https://www.vulncheck.com/advisories/openclaw-untrusted-wor…

https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-plugin-shadow…

CVE-2026-43571

Description

Inclusion of Functionality from Untrusted Control Sphere

Common Consequences

Applicable Platforms

Iscriviti alla newsletter