CVE-2026-42428
Published: 28 April 2026
Summary
CVE-2026-42428 is a high-severity Missing Support for Integrity Check (CWE-353) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-7 mandates integrity verification tools and techniques for software to detect unauthorized changes, directly addressing the missing integrity checks on downloaded plugin archives.
CM-14 requires digital signatures on software components prior to execution, preventing installation and use of tampered plugin packages.
CM-11 enforces policies and monitoring for user-installed software, restricting the installation of unverified plugin archives.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The lack of integrity verification on plugin archives allows attackers to supply and install tampered/malicious packages without detection, directly facilitating supply chain compromise of plugins and user execution of malicious files.
NVD Description
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.
Deeper analysisAI
CVE-2026-42428 is a vulnerability in OpenClaw versions before 2026.4.8 that fails to enforce integrity verification on downloaded plugin archives, corresponding to CWE-353 (Missing Support for Integrity Check). This flaw allows attackers to install malicious or tampered plugin packages without detection, compromising the local assistant environment. The issue was published on 2026-04-28 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H).
The attack requires network access, high complexity, low privileges on the target system, and user interaction, such as a user approving a plugin download and installation. An attacker with low privileges can supply tampered plugin archives, which the software accepts without verifying integrity, leading to high impacts on confidentiality, integrity, and availability within the local assistant environment.
Advisories recommend upgrading to OpenClaw version 2026.4.8, where the issue is fixed via commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5. Further details on the vulnerability and remediation are provided in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-3vvq-q2qc-7rmp and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-missing-integrity-verification-in-package-downloads.
Details
- CWE(s)