top of page
perceptive_background_267k.jpg

OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup…

Published:

20 April 2026 at 22:00:00

Alert date:

21 April 2026 at 17:05:49

Source:

nvd.nist.gov

Click to open the original link from this advisory

Enterprise Applications, Security Tools

OpenClaw versions before 2026.4.2 contain an improper trust boundary vulnerability that allows untrusted workspace channel shadows to execute during built-in channel setup and login processes. Attackers can exploit this by cloning a workspace with a malicious plugin that claims a bundled channel ID. This enables unintended in-process code execution before the plugin undergoes explicit trust verification. The vulnerability affects the plugin trust mechanism and workspace security boundaries. The issue has been addressed in version 2026.4.2 with proper trust boundary enforcement.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41295
https://github.com/openclaw/openclaw/commit/53c29df2a9eb242a70d0ff29f3d1e67c8d6801f0
https://github.com/openclaw/openclaw/security/advisories/GHSA-2qrv-rc5x-2g2h
https://www.vulncheck.com/advisories/openclaw-untrusted-workspace-channel-shadow-code-execution-during-built-in-channel-setup

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page