CVE-2026-35641

HIGH · 7.8

No AI summary yet — the auto-summarizer runs every 10 minutes for top trending CVEs.

Description

OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can leverage git dependencies to trigger execution of arbitrary programs specified in the attacker-controlled .npmrc configuration file.

CVSS 3.1 breakdown

Exploitability 1.8 · Impact 5.9

vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack vector: Local
Complexity: Low
Privileges required: None
User interaction: Required
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Affected versions

openclaw/openclaw
- < 2026.3.24

Weaknesses

CWE-349

Vendors

openclaw

Products

openclaw

References

Third-party advisories · 1

https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation