Cyber Resilience

CVE-2026-41295

HighPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 3.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41295 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41295 is an improper trust boundary vulnerability (CWE-829) in OpenClaw versions prior to 2026.4.2. It affects the software's handling of workspace channel shadows during built-in channel setup and login processes, where untrusted shadows can execute code. The vulnerability enables attackers to leverage a malicious plugin that claims a bundled channel ID, leading to unintended in-process code execution before the plugin requires explicit user trust. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact with local access, low attack complexity, no privileges required, and user interaction needed.

An attacker with local access can exploit this by cloning a workspace containing a malicious plugin that impersonates a trusted bundled channel ID. When the victim user opens or interacts with the cloned workspace during setup or login, the untrusted channel shadow executes arbitrary code in-process. This achieves high confidentiality, integrity, and availability impacts, potentially allowing full compromise of the OpenClaw instance without prior privileges, though it relies on user interaction such as trusting or loading the workspace.

Mitigation is addressed in OpenClaw version 2026.4.2, as detailed in the project's GitHub security advisory (GHSA-2qrv-rc5x-2g2h) and a related commit fixing the trust boundary issue. Additional guidance appears in the Vulncheck advisory on untrusted workspace channel shadow code execution. Security practitioners should upgrade to the patched version and review workspace cloning practices to avoid loading untrusted content.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process…

more

code execution before the plugin is explicitly trusted.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability enables arbitrary code execution in client software (OpenClaw) via user interaction with a malicious workspace/plugin file, directly mapping to client exploitation and malicious file user execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32920Same product: Openclaw Openclaw
CVE-2026-41336Same product: Openclaw Openclaw
CVE-2026-41355Same product: Openclaw Openclaw
CVE-2026-41396Same product: Openclaw Openclaw
CVE-2026-41384Same product: Openclaw Openclaw
CVE-2026-43569Same product: Openclaw Openclaw
CVE-2026-43571Same product: Openclaw Openclaw
CVE-2026-22217Same product: Openclaw Openclaw
CVE-2026-32979Same product: Openclaw Openclaw
CVE-2026-35641Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces information flow control policies at trust boundaries to prevent untrusted workspace channel shadows from executing malicious code during setup and login.

prevent

Timely flaw remediation through vendor patching directly addresses the improper trust boundary vulnerability fixed in OpenClaw 2026.4.2.

preventdetect

Malicious code protection mechanisms block execution of code from untrusted plugins impersonating bundled channel IDs in cloned workspaces.

References