CVE-2026-41295
Published: 21 April 2026
Summary
CVE-2026-41295 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces information flow control policies at trust boundaries to prevent untrusted workspace channel shadows from executing malicious code during setup and login.
Timely flaw remediation through vendor patching directly addresses the improper trust boundary vulnerability fixed in OpenClaw 2026.4.2.
Malicious code protection mechanisms block execution of code from untrusted plugins impersonating bundled channel IDs in cloned workspaces.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables arbitrary code execution in client software (OpenClaw) via user interaction with a malicious workspace/plugin file, directly mapping to client exploitation and malicious file user execution.
NVD Description
OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a workspace with a malicious plugin claiming a bundled channel id to achieve unintended in-process…
more
code execution before the plugin is explicitly trusted.
Deeper analysisAI
CVE-2026-41295 is an improper trust boundary vulnerability (CWE-829) in OpenClaw versions prior to 2026.4.2. It affects the software's handling of workspace channel shadows during built-in channel setup and login processes, where untrusted shadows can execute code. The vulnerability enables attackers to leverage a malicious plugin that claims a bundled channel ID, leading to unintended in-process code execution before the plugin requires explicit user trust. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact with local access, low attack complexity, no privileges required, and user interaction needed.
An attacker with local access can exploit this by cloning a workspace containing a malicious plugin that impersonates a trusted bundled channel ID. When the victim user opens or interacts with the cloned workspace during setup or login, the untrusted channel shadow executes arbitrary code in-process. This achieves high confidentiality, integrity, and availability impacts, potentially allowing full compromise of the OpenClaw instance without prior privileges, though it relies on user interaction such as trusting or loading the workspace.
Mitigation is addressed in OpenClaw version 2026.4.2, as detailed in the project's GitHub security advisory (GHSA-2qrv-rc5x-2g2h) and a related commit fixing the trust boundary issue. Additional guidance appears in the Vulncheck advisory on untrusted workspace channel shadow code execution. Security practitioners should upgrade to the patched version and review workspace cloning practices to avoid loading untrusted content.
Details
- CWE(s)